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Abstract 

In this paper, wc present a formal model of the reliable multicast service that ensures eventual 
packet delivery with, possibly, some timeliness guarantees. This model dictates precisely what it 
means to be a member of the reliable multicast group and which packets are guaranteed delivery 
to which members of the group. Moreover, it is reasonable, implcmcntable, and broad; that is, 
it captures the intended behavior of a large collection of reliable multicast protocols. Wc also 
present a formal model of the Scalable Reliable Multicast (SRM) protocol [1]. We show that 
our model of SRM is safe, in the sense that it is a faithful implementation of our model of the 
reliable multicast service; that is, it may only deliver appropriate packets to each member of 
the reliable multicast group. We also show that, under certain constraints, the implementation 
is live, in the sense that it guarantees the timely delivery of the appropriate packets to the 
appropriate members of the reliable multicast group. 



1 Introduction 

With the increasing use of the Internet, multi-party communication and collaboration applications 
are becoming mainstream. Reliable multicast is a communication service that facilitates such 
applications. In the recent past, a slew of protocols have been proposed to reliably multicast 
packets efficiently [1—4, 7, 8] . However, reliability in the multicast setting has assumed many 
meanings, ranging from in-order eventual delivery to timely delivery where a small percentage 
of packet losses is tolerable. The many notions of reliability stem from the varying assumptions 
regarding the communication environment and the goals and requirements of the applications to 
which particular reliable multicast protocols cater. 

Most often, the behavior of reliable multicast protocols is described informally. To our surprise, 
a protocol's description is seldom accompanied by a precise definition of its reliability guarantees. 
In its simplest form, reliability is informally defined as the eventual delivery of all multicast 
packets to all group members; other notions of reliability include ordering, no-duplication, and 
timeliness guarantees. Although intuitive, this simplistic reliability definition does not precisely 
specify which packets are guaranteed delivery to which members of the group, especially when the 
group membership is dynamic. Moreover, protocol descriptions put little emphasis on the behavior, 
or the analysis of the behavior, of the protocol when the group membership is dynamic, either due 
to failures or frequent joins and leaves. As hosts become more mobile, a better understanding 
of the behavior of such services and protocols in the context of a dynamic group membership is 
increasingly important. 

In this paper, we present a formal model of the reliable multicast service, which we henceforth 
refer to as the reliable multicast specification (RMS). Specifying the reliable multicast service is 
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not straightforward. The plethora of reliable multicast protocols cater to diverse applications that 
impose diverse correctness and performance requirements. Clearly, capturing the functionality of all 
reliable multicast protocols using a single specification would be quite complex and unwieldy. Our 
reliable multicast service specification formalizes the behavior of a number of protocols, such as 
SRM [1] and LMS [7], that strive to provide eventual delivery with, possibly, some timeliness 
guarantees. We stipulate that, in the context of dynamic group membership, membership is 
intrinsically intertwined with reliability; that is, membership and reliability must be addressed 
together. Thus, our specification dictates precisely what it means to be a member of a reliable 
multicast group and which packets are guaranteed delivery to which members of the reliable 
multicast group. We parameterize our specification with a delivery latency bound, which specifies 
an upper bound on the latency incurred to reliably deliver multicast packets. This parameterization 
results in a reliable multicast service specification that encompasses the behavior of a collection 
of reliable multicast protocols, some with loose and others with potentially stringent timeliness 
guarantees. 

We also present a formal model of the Scalable Reliable Multicast (SRM) protocol [1] . Our model 
of SRM, which we henceforth refer to as the reliable multicast implementation (RMI), involves 
several components with distinct functionalities, such as the maintenance of the reliable multicast 
group membership and the packet loss recovery. This decomposition simplifies the reasoning and 
facilitates future modifications to the implementation. We show that RMI is safe, in the sense that 
it is a faithful implementation of RMS; that is, it may only deliver appropriate packets to each 
member of the reliable multicast group. We also show that, under certain constraints, RMI is live, 
in the sense that it guarantees the timely delivery of the appropriate packets to the appropriate 
members of the group. 

The rest of the paper is organized as follows. Section 2 presents our modeling framework. Section 3 
presents the abstract view of the physical system that we adopt in our work. Section 4 presents 
RMS and its eventual and timely reliability properties. Section 5 presents RMI, derives constraints 
on RMI's packet loss recovery parameters, and analyzes RMI's safety and liveness with respect to 
RMS. Finally, Section 6 presents the paper's contributions and future work directions. 

2 Modeling Framework and Notation 

In this paper, we use the timed input/output (I/O) automaton (TIOA) modeling framework 
(introduced as the general timed automaton model in Ref. 6); a framework for modeling timed 
systems. A timed I/O automaton A is a state-machine in which transitions are labeled by actions. 
A : s actions (acts (A)) are partitioned into input (in(A)), output (out(A)), internal (int(A)), and 
time-passage sets. Time-passage actions model the passage of time. The input and output actions 
of A are collectively referred to as external; denoted ext(A). Input, output, and time-passage 
actions are collectively referred to as visible] denoted vis (A). A timed I/O automaton A is 
defined by its signature (input, output, internal, and time-passage actions), states (states(A)), 
start states (start (A)), and state-transition relation (trans (A)). The state-transition relation of 
A is a cross product of states, actions, and states that dictates A's allowable transitions; that is, 
trans (A) C states (A) x acts (A) x states(A) and a transition of A from s to s' through action -k is 
denoted by the tuple (s, tt, s'). 

A timed execution fragment a of A is a finite or infinite alternating sequence, a = sottisitt2S2 ■ ■ ■ , 
of states and actions consistent with ^4's state-transition relation; that is, Sk €. states(A), 
7Tfe + i G acts(A), and (sk,TTk+i, s&+i) G trans (A), for all k G N. For any two timed execution 
fragments a and ct of A, we use the notation a < a' to denote that a is a prefix of a'. A timed 
execution fragment of A is admissible if an infinite amount of time elapses within the particular 



fragment. An admissible timed execution fragment a of A is fair when no action is enabled in 
every state of a suffix of a without appearing in the given suffix. The time of occurrence of an 
action 71"^, for k £ N + , within a timed execution fragment a of A is the time elapsing within a prior 
to the occurrence of iTk- Letting s, s' £ states (A) be any two states occurring in a timed execution 
fragment a of A, we use the notation s < a s' (s < a s') to denote that the particular occurrence of 
s appears no later than (prior to, respectively) the particular occurrence of s' in a. 

The timed trace (3 of a timed execution fragment a of A is the sequence of visible actions in a, each 
paired with its time of occurrence. For any two timed traces (3 and /3' of A, we use the notation 
P < (3' to denote that /3 is a prefix of f3' . 

A timed execution of A is a timed execution fragment of A that begins in one of ^4's start states. 
We let aexecs(A) denote the set of all admissible timed executions of A, attraces(A) denote the 
timed traces of all executions in aexecs(A), fair-aexecs(A) denote the set of all fair admissible timed 
executions of A, and fair-attraces(A) denote the timed traces of all executions in fair-aexecs(A). 

Two timed I/O automata A\ and A?, are compatible if int(Ai)Dacts(Aj) = and out(Ai)f]out(Aj) = 
0, for i,j £ {1,2}, i ^ j. The composition of compatible timed I/O automata yields a timed I/O 
automaton. The hiding operation reclassifies output actions of a timed I/O automaton as internal. 
Letting A, B be timed I/O automata with the same external interface, B implements A, denoted 
B < A, when its external behavior is allowed by A; that is, when attraces(B) C attraces(A). 
The implementation relation among two timed I/O automata is often shown by defining a timed 
simulation relation; that is, relating states of B to states of A and showing that for any step of B 
there is a timed execution fragment of A with the same timed trace as the step of B that preserves 
the state relation. 

We use a precondition- effect style notation to define the state-transition relations of timed I/O 
automata. Moreover, we use the notation Si U = S2, S±\= S2, and s :£ S as shorthand for 
Si := Si U S2, Si := Si\ S2, and the assignment of an arbitrary element of S to the variable s. 

3 The Physical System 

We assume that the physical system is comprised of an infinite set of hosts that interact through an 
underlying network. This network involves a set of interconnected routers. Each host is connected 
to a particular router of the underlying network; for each host, we refer to this particular router 
as the gateway router of the particular host. Hosts and routers are connected among themselves 
through bi-directional communication links. 

We assume that all hosts are of comparable processing power and storage resources. Resident 
on each host are a set of processes. We assume that hosts are symmetric in the sense that the 
same set of processes reside on each host. The set of processes on each host consists of a single 
application process and several additional communication service processes. Henceforth, we refer 
to the application process at each host as the client at the given host. The communication service 
processes, either individually or collectively, provide the communication services required by the 
client. For instance, the IP unicast service may be modeled as a set of processes, one such process 
for each host. Clients may thus exchange IP unicast packets through their respective IP unicast 
processes; these may in turn interact with the hosts' gateway routers. 

In terms of system faults, we consider only host crashes and packet drops on the communication 
links. Once a host crashes it remains crashed thereafter. A host is said to be operational prior to 
crashing and to have crashed thereafter. All the processes on each host are fate-sharing; that is, if 
a host crashes, then all of its processes crash. Router failures and network partitions are assumed 
to be ephemeral. Such failures are modeled as numerous consecutive packet drops. 



Figure 1 Reliable Multicast Specification Component Interaction 
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Since crashes are assumed to be permanent, we model host restarts implicitly. We think of the 
restarting of a host as its reincarnation as a completely new host; that is, after crashing, a host 
may assume the identity of another host that has up to that point in time been idle. This modeling 
simplification is equivalent to explicitly modeling host restarts and having hosts choose a unique 
host identifier each time they restart. Such an identifier could involve, for instance, the processor 
identifier and an infinite reincarnation counter that is stable across crashes. 

4 Reliable Multicast Specification (RMS) 

We abstractly model the reliable multicast service as a single component that interacts with all 
client processes. Thus, the reliable multicast service encapsulates the behavior of all communication 
service processes at all hosts and the underlying network. For simplicity, we assume that there is 
a single reliable multicast group. Since we assume a single client per host and a single reliable 
multicast group, we do not distinguish among the client process and the host when considering 
reliable multicast group membership. In fact, we often use the terms client and host interchangeably. 

Throughout our treatment of reliable multicast, we adopt the packet naming scheme used by 
Floyd et al. [1]. In this scheme, clients (applications) assign unique sequence numbers to each 
packet they multicast. These sequence numbers are assigned in a continuous fashion as hosts join, 
leave, and rejoin the reliable multicast group; that is, consecutive packets sent by each host are 
assigned consecutive sequence numbers. Thus, packets are uniquely and persistently identified by 
a pair involving their source host and their sequence number. Since the clients (applications) are 
responsible for naming packets, packets are referred to as application data units (ADUs). 



4.1 Formal Model 

We formally specify the reliable multicast service and each of the client processes using timed I/O 
automata. The automaton RM(A), for A S R- U oo, models the reliable multicast service. 
RM(A) defines what it means to be a member of the reliable multicast group and specifies 
precisely which packets are guaranteed delivery to each member of the reliable multicast group. 
The parameter A specifies an upper bound on the amount of time required by the reliable multicast 
service to reliably deliver each packet. The automaton RM-Client/j models the client at the host 
h. We let RM-Clients denote the composition of all client automata and RMs(A), for any 
A £ M- U oo, denote the composition of the reliable multicast service and all client automata; 
that is, RM S (A) = RM(A) x RM-Clients. Figure 1 depicts the interaction of the RM(A) and 
RM-Client/j, for h € H, automata. 

We proceed by presenting some preliminary definitions and, subsequently, defining the RM(A) and 



Figure 2 Reliable Multicast Specification Definitions 

H Set of all hosts. 

Status = {idle, joining, leaving, member, crashed} 

•PrM-Client = Set of packets such that V p S Prm-Client 
source(p) 6 H 
seqno(p) £ N 
data(p) e {0, 1}* 

id(p) EflxM: id(p) = (source(p), seqno(p)) 
suffix(p) = {(s,i) S H X N | source(p) = s A seqno(p) < i} 



RM-Client/j automata. 

4.1.1 Preliminary Definitions 

Figure 2 includes several set definitions pertaining to our reliable multicast service specification. 
if is the set of all hosts that could potentially participate in the reliable multicast communication. 

The set Status consists of all possible valuations of the reliable multicast membership status of a 
host. The value idle indicates that the host is idle with respect to the reliable multicast group; 
that is, it is neither a member, nor in the process of joining or leaving the reliable multicast 
group. The value joining indicates that the host is in the process of joining the reliable multicast 
group; that is, the client has issued a request to join the reliable multicast group and is awaiting 
an acknowledgment of this join request from the reliable multicast service. The value leaving 
indicates that the client is in the process of leaving the reliable multicast group; that is, the client 
has issued a request to leave the reliable multicast group and is awaiting an acknowledgment of 
this leave request from the reliable multicast service. The value member indicates that the client is 
a member of the reliable multicast group. The value crashed indicates that the host has crashed. 

The set Prm-Client represents the set of packets that may be transmitted by the client processes 
using the reliable multicast service. According to the ADU naming scheme described above, data 
segments are identified by their original source and a sequence number. Thus, for any packet 
V ^ -Prm-Client the operations source(p), seqno(p), and data(p) extract the source, sequence 
number, and data segment corresponding to the packet p. The operation id{p) extracts the source 
and sequence number pair corresponding to the packet p. Such pairs comprise unique packet 
identifiers. We also define the suffix(p) to be the subset of -Prm-Client comprised of all packets 
whose source is that of p and whose sequence number is greater than or equal to that of p. 

4.1.2 The RM(A) Automaton 

Figure 3 presents the signature, the variables, and the discrete transitions of RM(A). The RM(A) 
automaton maintains the set of members of the reliable multicast group. Hosts initiate the process 
of joining and leaving the reliable multicast group by issuing join and leave requests to the reliable 
multicast service. A request to join the reliable multicast group is effective only when the host is 
idle with respect to the reliable multicast group; that is, it is operational and neither a member of 
nor in the process of joining or leaving the reliable multicast group. A host becomes a member of 
the reliable multicast group upon the acknowledgment of an earlier join request. Hosts may only 
send and receive packets through the reliable multicast service while they are both operational and 
members of the reliable multicast group. Once a host issues a request to leave the reliable multicast 
group, it ceases to be a member of the reliable multicast group and, thus, relinquishes its right to 
receive any more reliable multicast packets. Leave requests overrule join requests in the sense that 
if the client is already in the process of joining the group while it issues a leave request, then the 
process of joining is aborted and the process of leaving is initiated. Once a host leaves the reliable 



multicast group, it may later rejoin the reliable multicast group by re-issuing a join request. Hosts 
may crash at any point in time. Once a host has crashed, the reliable multicast service ignores all 
events pertaining to the crashed host. Recall that host restarts are treated implicitly by thinking 
of host restarts as host reincarnations. 

We say that a member h of the reliable multicast group has delivered the packet p if it has either 
sent or received the packet p. We say that a member h of the reliable multicast group is aware 
of a packet p, or is expecting p, if it has delivered either p or an earlier packet p' from the source 
of p. Moreover, we say that a packet p is active if at least one member of the reliable multicast 
group that has become aware of p since last joining the reliable multicast group, has also delivered 
it since last joining the reliable multicast group. 

Once a host joins the reliable multicast group, the issue of catching up on any of the packets 
multicast earlier is orthogonal to the transmission of future packets using the reliable multicast 
service. Thus, once a host joins the reliable multicast group, the first packet it receives from 
a particular source dictates the set of packets that are guaranteed delivery to the given host. In 
particular, none of the earlier packets and any of the later packets that remain active after being sent 
are guaranteed delivery, provided the host remains a member of the reliable multicast group. The 
host may catch up on earlier packets from the given source through a separate service. For example, 
earlier packets may be requested directly from the source through a unicast communication channel. 
The rationale behind this modeling choice is that the recovery of a large number of earlier packets 
may strain the reliable multicast service and wastefully expose the recovery of earlier packets to all 
or a subset of the reliable multicast group. 

If A = oo, then RM(A) guarantees that if a packet p remains active forever after its transmission 
then any member that becomes aware of p and remains a member of the reliable multicast group 
thereafter, delivers p. Equivalently, if two members become aware of a packet p, remain members 
forever thereafter, and one member delivers p, then the other member delivers p also. It is important 
to note that a host is not required to remain a member of the reliable multicast group indefinitely in 
order for the packets it multicasts to be received by hosts that become aware of them; the eventual 
reception of packets is guaranteed to all hosts that become aware of them provided the packets 
remain active forever after they are sent. 

If A 6 R-°, then RM(A) guarantees that if a packet remains active for A time units past its 
transmission, then it is delivered to all hosts that become aware of it within these A time units 
and, subsequently, remain members of the reliable multicast group for the remaining duration of 
these A time units elapse. 

Parameters The RM automaton is parameterized by a time bound, A G R-° U {oo}, which 
specifies the maximum delay in delivering each packet sent to the appropriate members of the 
reliable multicast group. The value oo corresponds to the case in which the reliable multicast 
service guarantees the eventual delivery of all packets to the appropriate members of the reliable 
multicast group. An instance of the RM automaton is denoted by RM(A). 

Variables The variable now G R-° denotes the time that has elapsed since the beginning of an 
execution of RM. Each variable status{h) E Status, for h G H, denotes the status of the host h. 
Each of its valuations is described in the definition of the set Status. We say that the host h is 
operational if it has not crashed. After a host h crashes, none of the input actions pertaining to h 
affect the state of RM and none of the locally controlled actions pertaining to h are enabled. 

Each variable trans-time{p) G R-° U _l_, for p G -Prm-Client, denotes the transmission time of 
the packet p; that is, the time the packet p was sent by its source. Prior to the transmission of p, 
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Figure 3 The RM 


(A) 


Automaton 


Parameters: 


A e R-° u {00} 


Actions: 



Input: 

crashh, for ft £ P 

rm-joinj,, for ft £ H 

rm-leavef,, for ft £ P 

rm-send h (p), for ft S H,p £ Prm-Client 



Output: 

rm-join-ack^, for ft £ P 
rm-leave-ack^, for ft £ P 
rm-recv h (p), for ft £ P,p £ Prm-Client 
Time Passage: 
i/(t), forte M-° 



Variables: 



now £ R— °, initially now = 

status(h) £ Status, for all ft £ P, initially status(h) 
»>0 



idle, for all ft 6 P 



trans-time(p) £ R— ° U _L, for all p £ Prm-Clientj initially trans-time(p) =_l_, for all p £ Pr 
expected(h, ft') C H x H, for all ft, ft' £ P, initially expectedih, ft') = 0, for all h,h' £ H 
delivered(h, k') C i? X N, for all ft., ft,' £ P, initially delivered(h, ft') = 0, for all ft, ft' S P 



Derived Variables: 



idle = {ft 6 P | status(h) = idle} 

joining = {ft £ P | status(h) = joining} 

leaving = {ft £ P | status(h) = leaving} 

members = {ft £ P | status(h) = member} 

intended(p) = {ft £ P | «d(p) 6 expectedih, source(p))}, for all p £ Prm-Client 

completed{p) = {ft £ P | id(p) € delivered(h, source(p))}, for all p £ Prm-Client 

sent-pkts = {p £ Prm-Client I trans-time(p) ^_L} 

active-pkts = {p £ Prm-Client I P 6 sent-pkts A intended(p) D completed(p) ^ 0} 



Discrete Transitions: 



input crash/j 

eff status(h) : = crashed 
foreach ft' £ P do: 

expected (ft, ft') := 
delivered(h, ft') := 

input rm-joinj, 

eff if ft 6 idle then 

status(h) := joining 

input rm-leave^, 

eff if ft £ joining U members then 
status(h) := leaving 
foreach ft' £ P do: 

expected (ft, ft') := 
delivered(h,h') := 

input rm-sendft(p) 

eff if ft £ members n {.soMree(p)} then 
if expectedih, ft) = then 

expected(h, ft) := suffix{p) 
if id(p) £ expectedih, K) then 
trans-time(p) := nou) 
delivered(h, ft) U= {id(p)} 



output rm-join-ackh 

pre ft £ joining 

eff status(h) := member 

output rm-leave-ackf, 

pre ft £ leaving 

eff status(h) := idle 

output rm-recv/ l (p) 

pre ft £ mem6ers\{.sowce(p)} 
Ap £ sent-pkts 
A (expected (ft, source (p)) = 

=> nosij < trans-time(p) + A) 
A (expected (ft, source (p)) ^ 

=> *d(p) £ expected(h, source(p))) 
eff if expected(h, source{p)) = then 
expectedih, source(p)) := suffix(p) 
delivered(h, source(p)) U= {«d(p)} 

time-passage f(t) 

pre Vp £ active-pkts, 

now + t< trans-time(p) + A 
V intended(p) C completed{p) 

eff noiu := nom + t 



trans-time{p) is equal to _L. Each variable expected(h, h') C HxN, for /i, /i' G if, is the set comprised 
of the identifiers of the packets from /i' that the host /i is aware of since it last joined the reliable 
multicast group and, consequently, expects to deliver. Each variable delivered(h,h') C H xN, for 
h, hi £ ii, is the set comprised of the identifiers of the packets from h! that the host h has delivered. 

Derived Variables The derived variable idle C H is & set of hosts that is comprised of all the 
hosts that are idle with respect to the reliable multicast group. The derived variable joining C H 
is a set of hosts that are in the process of joining the reliable multicast group. The derived variable 
leaving C H is a set of hosts that are in the process of leaving the reliable multicast group. The 
derived variable members C H is a set of hosts that are members of the reliable multicast group. 
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The derived variable intended (p), for each p £ -Prm-Client; is the set of hosts that are expecting 
the delivery of the packet p. We henceforth refer to the set intended{p) as the intended delivery 
set of p. The derived variable completed (p), for each p £ -Prm-Client, is the set of hosts that have 
delivered the packet p. Recall that we say that a host has delivered a packet p if it has either 
sent or received p. We henceforth refer to the set completed(p) as the completed delivery set of p. 
The derived variable sent-pkts is the set of packets that have been sent since the beginning of the 
given execution of the RM(A) automaton. The derived variable active-pkts is the set comprised of 
the sent packets that have been delivered by at least one of the hosts in their respective intended 
delivery sets. 

Input Actions Each input action crash/j, for h G H, models the crashing of the host h. The 
effects of crashft are to record that the host h has crashed by setting the variable status (h) to 
the value crashed. Furthermore, the crash/j action resets the set of packets that the host h is 
expecting from each source and the set of packets it has delivered from each source. Thus, the RM 
automaton is released of the obligation to deliver any of the active packets to the host h. 

The input action rm-join/j models the client's request at the host h to join the reliable multicast 
group. The rm-join^ action is effective only while the host h is idle with respect to the reliable 
multicast group. When effective, the rm-join/j action sets the status(h) variable to joining so 
as to record that the host h has initiated the process of joining the reliable multicast group. If 
the client is either a member of or in the process of joining the reliable multicast group, then the 
rm-join/j action is superfluous. If the client is already in the process of leaving the group, then the 
rm-join/t action is discarded so as to allow the process of leaving the reliable multicast group to 
complete. 

The input action rm-leave/j models the client's request at the host h to leave the reliable multicast 
group. The rm-leave/j action is effective only while the host h is a member of or in the process 
of joining the reliable multicast group. When effective, the rm-leave^ action sets the status (h) 
variable to leaving so as to record that the host h has initiated the process of leaving the reliable 
multicast group. Moreover, the rm-leave/j action initializes the set of packets that the host h is 
expecting from each source and the set of packets it has delivered from each source. Thus, the RM 
automaton is released of the obligation to deliver any of the active packets to the host h. Leave 
requests overrule join requests; that is, when a rm-leave/j action is performed while the host h is in 
the process of joining the reliable multicast group, its effects are to abort the process of joining and 
to initiate the process of leaving the reliable multicast group. If the client is either idle or already 
in the process of leaving the reliable multicast group, then the rm-leave^ action is superfluous. 

The client at h sends the packet p using the reliable multicast service through the input action 
rm-send/jd?). The rm-send/j(j>) action is effective only when the host h is both a member of the 
reliable multicast group and the source of the packet p. If p is the first packet sent by the host h, 
then the rm-send^(p) action initializes the set of packets expected by h from h to the set suffix(p); 
that is, all packets whose source is h and whose sequence number is greater or equal to that of p. 
Then, if p is in the expected set of packets of h from h, the rm-send/j(p) records the transmission 
time of p by setting the variable trans-time(p) to now and adds the packet p to the set of packets 
from the host h that the host h has delivered. 

Output Actions The output action rm-join-ack^ acknowledges the join request of the client 
at h. The action rm-join-ack/j is enabled when the host h is in the process of joining the reliable 
multicast group. Its effects are to set the status (h) variable to member so as to indicate that the 
client at h has become a member of the reliable multicast group. 

The output action rm-leave-ack^ acknowledges the leave request of the client at h. The action 
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rm-leave-ack/j is enabled when the host h is in the process of leaving the reliable multicast group. 
Its effects are to set the status (h) variable to idle so as to indicate that the client at h has become 
idle with respect to the reliable multicast group. 

The output action rm-recv/j(p) models the delivery of the packet p to the client at h. The 
rm-recv/j(p) action is enabled when the host h is a member of the reliable multicast group, the 
host h is not the source of p, and p is an active packet. Moreover, if the expected deliver set of h 
with respect to the source of p is undefined, then the delivery deadline trans-time(p) + A of p must 
not have expired; that is, the first packet from any source to be delivered to any client must be 
delivered prior to its delivery deadline. If the expected deliver set of h with respect to the source 
of p has already been defined, then p must be expected by h. The effects of the rm-recv^(p) action 
are: i) to define the expected delivery set of h with respect to the source of p to the set suffix(p), 
unless already defined, and ii) to add the host h to the completed delivery set of p. 

Time Passage The action v(t) models the passage of t time units. Time is prevented from 
elapsing past the delivery deadline of any active packet that has yet to be delivered to all the hosts 
in its intended delivery set. Thus, prior to allowing time to elapse past the delivery deadline of an 
active packet, all the hosts in its intended delivery set must either send or receive the packet, leave 
the reliable multicast group, or crash. 

4.1.3 The RM-Client^ Automata 

Figure 4 presents the signature, the variables, and the discrete transitions of RM-Client^. The 
RM-Client/j automaton models a well-behaved client; that is, a client that: i) transmits packets 
only when it is a member of the reliable multicast group, ii) transmits packets in ascending and 
contiguous sequence number order, iii) issues join requests only when it is idle with respect to the 
reliable multicast group, and iv) issues leave requests only when it is a member of the reliable 
multicast group. 

Variables The variable now £ R- denotes the time that has elapsed since the beginning of an 
execution of RM-CLIENTV The variable status £ Status denotes the membership status of the 
host h. It takes on one of the following values: idle, joining, leaving, member, and crashed. 
These values indicate whether the host h either is idle, joining, leaving, a member of the reliable 
multicast group, or has crashed, respectively. We say that a host h is operational if it has not 
crashed. After a host h crashes, none of the input actions affect the state of RM-Client^ and 
none of the locally controlled actions, except the time passage action, are enabled. The variable 
seqno G N U _L indicates the sequence number of the last packet to have been transmitted by 
RM-Client/j — the value _l_ indicates that RM-Client/j has yet to transmit a packet using the 
reliable multicast service. The seqno variable is initialized to _l_. 

Input Actions The input action crash^ models the crashing of the host h. The effects of crash/j 
are to record that the host h has crashed by setting the status variable to crashed. 

The input action rm-join-ack/j acknowledges the client's join request at h. If the client is in the 
process of joining the reliable multicast group, i.e., status = joining, then the rm-join-ack^ 
action sets the status variable to member so as to indicate that the client at h has become a member 
of the reliable multicast group. 

The input action rm-leave-ack^ acknowledges the client's leave request at h. If the client is in 
the process of leaving the reliable multicast group, i.e., status = leaving, then the rm-leave-ack^ 
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Figure 4 The RM-Client/i Automaton 



Parameters: 

he H 



Actions: 



Input: 

crashf, 

rm-join-ack^ 

rm-leave-ack^ 

rm-recv h (p), for all p S Prm-Client 



Output: 

rm-joinjj 
rm-leave^ 

rm-send^p), for all p £ Prm-Client 
Time Passage: 

u(t), for t S M^° 



Variables: 



now S R— °, initially now = 

status £ Status, initially status = idle 

seqno £ N U _L, initially seqno =_L 



Discrete Transitions: 



input crashft 

eff status := crashed 

input rm-join-ack^ 

eff if status = joining then 
status := member 

input rm-leave-ackft 

eff if status = leaving then 
status := idle 

input rm-recvj,(p) 

eff None 



output rm-join^ 

pre status = idle 
eff status := joining 

output rm-leave^ 

pre status = member 
eff status := leaving 

output rm-sendjjjj)) 

pre status = member A source(p) = h 

A(seqno =_L V seqno (p) = seqno + 1) 
eff seqno := seqno(p) 

time-passage f(i) 

pre None 

eff now := now + t 



action sets the status variable to idle so as to indicate that the client at h has become idle with 
respect to the reliable multicast group. 

The input action rm-recv/,(p) models the delivery of the packet p to the client at h. This action 
has no effects. 

Output Actions The output action rm-join^ is performed by the client to initiate the process 
of joining the reliable multicast group. This action is enabled only while the client is idle with 
respect to the reliable multicast group. Its effects are to set the status variable to joining so as 
to indicate that the client at h has initiated the process of joining the reliable multicast group. 

The output action rm-leave/j is performed by the client so as to initiate the process of leaving the 
reliable multicast group. This action is enabled only while the client is a member of the reliable 
multicast group. Thus, the client waits for join requests to complete prior to issuing leave requests. 
Its effects are to set the status variable to leaving so as to indicate that the client at h has initiated 
the process of leaving the reliable multicast group. 

The output action rm-send^(p) models the client's transmission of the packet p using the reliable 
multicast service. The rm-send/j(p) action is enabled when the client is a member of the reliable 
multicast group and the packet p is either the first or the next packet in the sequence of packets 
to be transmitted by the client at h; that is, status = member, source(p) = h, and either seqno =_L 
or seqno{p) = seqno + 1. The effects of the rm-send^(p) action are to set seqno to seqno{p) (or, 
equivalently, to increment seqno), thus recording the transmission of the packet p. 

Time Passage The action v(t) models the passage of t time units. It is enabled at any point in 
time and increments the variable now by t time units. 
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4.2 Preliminary Properties and Definitions 

The automaton RM-Client^, for any h £ H, satisfies transmission correctness, transmission 
uniqueness, and in order transmission. Transmission correctness is the property that clients only 
transmit packets for which they are actually the source. Transmission uniqueness is the property 
that no two packets transmitted by a client share the same identifier. Finally, in order transmission 
is the property that each client transmits packets through the reliable multicast group in ascending 
sequence number order. 

Lemma 4.1 (Transmission Correctness) Let (3 be any timed trace of RM-Client/j, for any 
h £ H. If [3 contains the action rm-send/j(p), for some p £ -Prm-Client; then the host h is the 
source of p; that is, h = source(p). 

Proof: Follows directly from the precondition of the action rm-send/j(p). I 

Lemma 4.2 (Transmission Uniqueness) Let (3 be any timed trace of RM-Client^, for any 
h £ H . For any packet identifier (s,i) £ H X N, at most one packet p £ Prm-Client is transmitted 
within (3; that is, (3 contains at most one action rm-send^(j)), for p £ -Prm-Client; such that 
id(p) = (s,i). 

Proof: Let a be any timed execution of RM- Client^ such that (3 = ttrace{ct). Within a each 
action rm-send/j(p'), for p' £ Prm-Client such that source(p') = h, transmits the packet p' whose 
sequence number is equal to seqno and increments the variable seqno. Since no other actions affect 
the variable seqno it follows that seqno monotonically increases each time a packet is transmitted. 
Thus, (3 does not contain the transmission of more than one packets sharing the same sequence 
number. H 

Lemma 4.3 (In Order Transmission) Let (3 be any timed trace of RM-Client^, for h £ H, 
that contains the actions rm-send^(p) and rm-send/j(p'), for p,p' £ -Prm-Client; such that h = 
source{p) = source{p') and seqno{p) < seqno{p'). Then, the action rm-send/j(p) precedes the 
action rm-send/j(p') in (3. 

Proof: The effects of any rm-send/^p"), for p" £ Prm-Client, are to increment the variable 
RM-Client^. seqno. Moreover, no other action affects the variable RM-Client/j. seqno. Thus is, 
the variable RM-Clientv seqno is monotonically non-decreasing in any execution of RM-Client^. 

The actions rm-send^(p) and rm-sendh(p') are enabled only when seqno{p) = RM-Client^. seqno 
and seqno{p') = RM-Client/j. seqno, respectively. It follows that rm-send^(p) precedes the action 
rm-send/td/) in any timed execution of RM-Client^ such that (3 = ttrace(a). H 

The automaton RMs'(A), for any A £ M.— U oo satisfies transmission integrity. Transmission 
integrity it the property that, within a timed trace of RMs(A), the reception of a packet must be 
preceded by the particular packet's transmission. 

Lemma 4.4 (Transmission Integrity) Let (3 be any timed trace of RMs(A), for any A £ 
R- U oo. For h,h' £ H and p £ Prm-Client; such that h ^ h! and h = source(p), it is the 
case that any rm-recv/j/(p) action is preceded in [3 by a rm-send^(p) action. 

Proof: Let a be any timed execution of RMs(A) such that (3 = ttrace{a). It suffices to show 
that any rm-recv^(j)) action is preceded by a rm-send/j(p) action within a. This follows directly 
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from the precondition of the action rm-recv/j/(p). In particular, the precondition of the action 
rm-recv/j/(p) requires that there is a tuple in pkts corresponding to the packet p. However, such a 
tuple may be added to pkts only by the occurrence of the action rm-send/j(p). Thus, the occurrence 
of any action rm-recv/i/(p) within a is preceded by the occurrence of the action rm-send^(p). H 

We proceed by defining the set of members of the reliable multicast group following a finite timed 
trace of RM 5 (A). 

Definition 4.1 (Membership) Let (3 be any timed trace of RMg(A), for any A £ R-° U oo. 
We define the members of [3, denoted members ([3), to be the set of all hosts h £ H such that (3 
contains a rm-join-ack/j action that is not succeeded by either an rm-leave^ or a crash^ action. 
If a host h S H is in the set members {(3), then we say that h is a reliable multicast group member 
of 13. 

The following lemma relates the set members {(3) of Definition 4.1 to the derived variable members 
of the automaton RM. 

Lemma 4.5 Let A £ R- U oo and a be any finite timed execution of RMs(A). Letting s be the 
last state in a and (3 be the timed trace of a, it is the case that s. members = members(j3) . 

Proof: Follows directly from the definitions of s. members and members{(3). H 

Lemma 4.6 Let A £ R-° U oo, h £ H , and a be any timed execution of RMg(A) such that 
h £ members {ttrace (a)). Letting s be any state following the last occurrence of the rm-join-ack^ 
action in a, it is the case that h £ s. members. 

Proof: Let a' , a" be the execution fragments of RM§(A) such that a' a" = a and the last action 
in a' is the last occurrence of the rm-join-ack/j action in a. Letting s' = a 1 .Istate, the effects of the 
rm-join-ack/j action imply that s' .status (h) = member. By the definition of members (ttrace (a)), 
it follows that a" contains neither a rm-leave^ or a crash/j action. 

The rest of the proof involves showing that for any prefix a n of a" of length n £ N, such that 
s n = a n . Istate, it is the case that h £ s n . members. This follows by a simple induction on the length 
n of a n . For the base case, consider «o- Since «o = s ' and s 1 .status(h) = member, it follows that 
so.status(h) = member, as required. For the inductive step, consider afc + i. Let s^+i = ak+i-lstate, 
let ctk be the prefix of ctk+i involving its first k steps, and s/, = a^.lstate. The induction hypothesis 
is the assertion that Sk-status(h) = member. Since a" contains neither a rm-leave/j or a crash^ 
action, the k + 1-st step of a^+i is neither an rm-leave^ or a crash^ action. Moreover, since 
Sk-status(h) = member, the k + 1-st step of afc+i is neither an rm-join/j, rm-join-ack^, nor 
rm-leave-ack/j action. The remaining actions do not affect the status (h) variable. Thus, it follows 
that Sfc+i. status (h) = member, as required. H 

We proceed by defining the intended and completed delivery sets of a packet within a timed trace 
of RM 5 (A). 

Definition 4.2 (Intended Delivery Set) Let (3 be any timed trace of RMs'(A), for any A € 

M-°Uoo, containing the transmission of a packet p £ -Prm-Client- We define the intended delivery 
set of p within (3, denoted intended(p,(3), to be the members of [3 that have delivered either the 
packet p or an earlier packet from the source of p since they last joined the reliable multicast group; 
that is, h £ intended (p, (3) if and only if h £ members((3) and the last rm-join-ack/j action in (3 
is succeeded by either a rm-sendh(p') or a rm-recvh(p') action, where source(p') = source(p) and 
seqno(p') < seqno(p). 
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Lemma 4.7 Let (3 be any finite timed trace of RMg(A) ; for any A £ R-° U oo, containing the 
transmission of a packet p G -Prm-Client- Then, it is the case that intended (p, (3) C members(P). 

Proof: Follows directly from Definition 4.2. H 

The following lemma relates the intended delivery set of a packet p within a timed trace (3 defined 
in Definition 4.2 to the derived variable intended{p) of the RM automaton. 

Lemma 4.8 Let A G R- U oo, p G -Prm-Client; an d a be any finite timed execution of RMg(A) 
that contains the transmission of p. Letting s = a.lstate and (3 = ttrace{a), it is the case that 
s.intended{p) = intended (p, (3). 

Proof: Follows directly from the definition of the derived variable intended{p) and Definition 4.2. 



Definition 4.3 (Completed Delivery Set) Let (3 be any timed trace of RMs(A), for any 

A £ R-° U oo, containing the transmission of a packet p E -Prm-Client- We define the completed 
delivery set of p within (3, denoted completed(p, (3) , to be the members of (3 that have delivered 
the packet p since they last joined the reliable multicast group; that is, h G completed (p, P) if and 
only if h £ members{(3) and the last rm-join-ack/j action in (3 is succeeded by either a rm-sendh{p) 
or a rm-recvh{p) action. 

The following lemma relates the completed delivery set of a packet p within a timed trace [3 defined 
in Definition 4.3 to the derived variable completed{p) of the RM automaton. 

Lemma 4.9 Let A G R-° U oo, p G -Prm-Client; and a be any finite timed execution of 
RM(A) x rmClients that contains the transmission of p. Letting s = a.lstate and (3 = ttraceia), 
it is the case that s. completed (p) = completed (p, (3). 

Proof: Follows directly from the definition of the derived variable completed{p) and Definition 4.3. 

■ 

We continue by defining the set of active packets within a timed trace of RMs(A), for any 
A G R-° U oo. This set is comprised of the packets whose intended and completed delivery sets 
within the given timed trace overlap; that is, the packets for which there is at least one host that 
was and has remained a member of the reliable multicast group following the packet's transmission 
and, moreover, has either sent or received the packet. 

Definition 4.4 (Active Packets) Let (3 be any timed trace of RM(A) x rmClients, for any 
A G R-° U oo. We define the set of active packets within (3, denoted active-pkts{(3), to be 
the set of all packets p G -Prm-Client such that intended (p, (3) n completed (p, (3) / 0. If a packet 
P £ -Prm-Client is in the set active-pkts{(3) , then we say that p is active within (3. 

The following lemma relates the set of active packets defined in Definition 4.4 to the derived variable 
active-pkts of the RM automaton. 

Lemma 4.10 Let A G R- U oo, p G -Prm-Client; o,nd a be any finite timed execution of 
RM(A) x rmClients that contains the transmission of p. Letting s = a.lstate and (3 = ttraceia), 
it is the case that s. active-pkts = active-pkts{(3) . 
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Proof: Follows directly from Lemmas 4.8 and 4.9, Definition 4.4, and the definition of the derived 
variable active-pkts of the RM automaton. H 

Lemma 4.11 Let (3,(3' be timed traces o/RM(A) x rmClients, for any A G M-°Uoo, containing 
the transmission of a packet p G -Prm-Client such that (3' < (3. Then, it is the case that if 
p G active-pkts ((3) then p G active-pkts((3'). 

Proof: We prove the above claim by contradiction. Suppose that it is the case that p G" 
active-pkts(P') and p G active-pkts((3). Thus, there must be some action -n following (3' such 
that p G" active-pkts^^) and p G active-pkts^^ ■ it), where (3^,(3'^ are the trace fragments of (3 such 
that P n -Tr-ftr = 0. 

Let a be any timed execution of RM(A) x rmClients such that (3 = ttrace(a) and s n and s' n 
be the pre- and post-states of n within a. We proceed by considering the possibility of n being 
any of the actions of the RMs(A) automaton that affect the valuation of the derived variable 
active-pkts. Since p G" active-pkts((3 n ), Lemma 4.10 implies that p G" s n . active-pkts. Thus, none of 
the rm-recv/j(p), for h G H, are enabled. Lemma 4.1 implies that none of the actions rm-send^(p), 
for h G H, except for h = source{p) are enabled. Moreover, since p has already been sent within 
[3 W , Lemma 4.2 implies that rm-send/j(p), for h = source{p), is not enabled in s n . The only other 
actions that affect the variable active-pkts are the crash^ and rm-leave^ actions, for h G H. The 
effects of these actions are to remove the host h from both the intended (p) and completed (p) sets. 
Clearly, if intended{p) n completed{p) = in the state s n , then the same holds for s' n . Thus, it 
follows that p G" s' n . active-pkts. Lemma 4.10 implies that p G" active-pkts {(3 n ■ tt), which contradicts 
our original supposition. H 

Lemma 4.12 Let A G R- U oo, h G H, p G -Prm-Client; o,nd a be any timed execution of 
RMs(A) that ends with the discrete transition (s, n, s'), for it = rm-sendh(p)- Then, it is the case 
that p G s' .sent-pkts. 

Proof: From the precondition of rm-send^p), it follows that s. status = member and source{p) = h. 
Thus, the effects of the rm-sendh{p) are to set the variable trans-time{p) to the value of now. By the 
definition of the derived variable sent-pkts of RM(A), it follows that p G s' .sent-pkts, as required. 



Lemma 4.13 Let A G R- U oo, p G -Prm-Client; s G states (RM (A)) be any reachable state of 
RM(A) such that p G s. sent-pkts, and a be any timed execution fragment of RM(A) such that 
s = a.fstate. For any s' G states(KM(A)) in a, it is the case that p G s' .sent-pkts. 

Proof: Follows from a simple induction on the length of the prefix of a leading to s' and the fact 
that none of the actions of RM(A) reset the variable trans-time(p) to _L. I 



Lemma 4.14 Let h G H, p G -Prm-Client; s G states (RM (A)), for A G R- U oo, and a be any 
timed execution fragment of RM(A), such that s = a.fstate, h G s.intended{p) (or, equivalently, 
id{p) G s. expected (h, source (p))), and a contains neither crash^ nor rm-leave/j actions. Then, 
for any state s' G states (RM(A)) in a, it is the case that h G s' .intended (p) (or, equivalently, 
id{p) G s' .expected (h, source (p))). 
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Proof: Follows from a simple induction on the length of the prefix of a leading to s' and the 
facts that: i) the variable expected{h, source{p)) may only be set to a non-empty set if it is empty, 
and ii) the variable expected{h, source{p)) is reset to the empty set only by the actions crash/j and 
rm-leave^. H 

Invariant 4.1 For h G H and any reachable state s of RM(A) x rmClients, for A G R-° U oo, 
it is the case that s[RM-ChiENT h ]. status = s[RM( A)}, status (h). 

Proof: Follows by a simple induction on the length of any timed execution of RMs(A) leading 
to s. H 

Invariant 4.2 Let h,h' G H and s be any reachable state of RMs(A), for A G R-° U oo. 

// s[RM(A)]. status (h) 7^ member, then it is the case that s[RM(A)]. expected (h, h') = and 
s[RM(A)}. delivered (h,h') = 0. 

Proof: Follows from a simple induction on the length of any execution of RMs(A) leading 
to s and the facts that: i) the actions that set the variable RM(A). expected (h, h') are only 
enabled when RM( A). status (h) = member, ii) the actions that add elements to the variable 
RM(A).delivered(h,h') are only enabled when RM (A). status (h) = member, and iii) the actions 
that reset the variables RM(A). expected (h, h') and RM(A). delivered(h, h') also set the variable 
RM(A). status{h) to a value other than member. I 

Letting A G R- U oo, the following invariant states that, for any active packet in any reachable 
state of RM(A) x rmClients, either A time units have yet to elapse past the packet's transmission 
time, or the packet has been delivered to all members that are aware of it. Thus, A bounds the 
delivery latency of any active packet. 

Invariant 4.3 Let s be any reachable state of the timed automaton RMs(A), for any A G M-°Uoo. 
Then, for any active packet p G -Prm-Client in s, i.e., p G s.active-pkts, it is the case that either 
s.now < s.trans-time{p) + A or s.intended{p) C s. completed (p). 

Proof: The proof is by induction of the number of steps n G N of a timed execution a of RMg(A) 
leading to the state s. For the base case, consider a timed execution with no steps; that is, n = 
and a = s for some s G start (RM5 (A)). Since s.active-pkts = 0, the invariant assertion is trivially 
satisfied. 

For the inductive step, consider a timed execution a with k + 1 steps. Let a' be the prefix of 
a containing the first k steps of a and s' be the last state of a' . The induction hypothesis is 
that for any active packet p' G -Prm-Client in s', i.e., p' G s' .active-pkts, it is the case that either 
s' .now < s' .trans-time{p') + A or s' .intended {p') C s' .completed{p'). For the inductive step, we 
show that for any active packet p G -Prm-Client in s, i.e., p G s.active-pkts, it is the case that either 
s.now < s.trans-tims{p) + A or s.intended{p) C s. completed (p). 

Suppose that p G s.active-pkts and consider two cases depending on whether p G s' .active-pkts. 
First, consider the case in which p s' .active-pkts. Lemma 4.11 implies that the step from s' to s 
involves the action mi-send^d?), for h = source{p). Its effects are to set the variable trans-time{p) 
to now. It follows that s.now < s. trans-time {p) + A. Thus, the invariant assertion is satisfied in s. 

Second, consider the case in which p G s' .active-pkts. Then, the induction hypothesis implies that 
either s'. now < s' .trans-time(p)+ A or s' .intended(p) C s' .completed (p). We proceed by considering 
the effects of each of the actions that affect any of the variables present in the invariant assertion: 
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□ crasli^, for h £ H: the effects of this action are to remove the host h from the intended 
and completed delivery sets of p. Thus, the induction hypothesis implies that either s.now < 
s.trans-time{p) + A or s.intended{p) C s. completed (p). 

□ rm-leave^, for h £ H: the reasoning for this action is similar to that of the crash/j action. 

□ rm-send/j(p), for h = source{p): since p £ s' .active-pkts it follows that p has been sent prior to 
state s' within a. Thus, Lemma 4.2 implies that the rm-send^(p) action is not enabled in s'. 

□ rm-recv/j(p), for h £ H: we consider two cases depending on whether s' .expected (h, source (p)) 
is empty. First, if s' .expected(h, source{p)) = 0, the precondition of rm-recv/j(p) implies that 
s' .now < s' .trans-time{p) + A. Since the rm-recv/i(p) action affects neither the now nor the 
trans-time{p) variables, it follows that s.now < s.trans-time(p)+A. Thus, the invariant assertion 
is satisfied in s. Second, if s' .expected (h, source(p)) / 0, the precondition of rm-recv^(p) implies 
that id(p) £ s' .expected (h, source (p)). The effects of rm-recv/j(p) are to add the element 
id(p) to the set delivered{h,source{p)). Thus, the induction hypothesis implies that either 
s.now < s .trans-time{p) + A or s .intended{p) C s. completed (p). 

O v(t), for t £ M- : the effects of the time-passage action are to allow t time units to elapse. 
However, the precondition of the action u{t) implies that the invariant assertion is satisfied in s. 



4.3 Reliability Properties 

The RMs(A) automaton, for any A £ R-° U oo, satisfies the eventual delivery and, equivalently, 
pairwise eventual delivery, properties. Eventual delivery is the property that if a host h is a 
member of the reliable multicast group, becomes aware of a packet p, remains a member of the 
group thereafter, and p remains active thereafter, then h delivers p since last joining the reliable 
multicast group. Its pairwise counterpart is the property that if two hosts are members of the 
reliable multicast group, become aware of the packet p, remain members of the group thereafter, 
and one of them delivers p since last joining the reliable multicast group, then so does the other. 
The eventual and pairwise eventual delivery properties are equivalent. 

Theorem 4.15 (Eventual Delivery) Let (5 be any fair admissible timed trace o/RMg(A), for 
any A £ R- U oo, containing the transmission of a packet p £ Prm-Client ■ If P G active-pkts(P), 
then p is delivered by each host in the intended delivery set of p within (5 since each such host last 
joined the reliable multicast group; that is, intended (p, (3) C completed (p, (5). 

Proof: Let a be any fair admissible timed execution of RMg(A), such that (3 = ttrace(a). Suppose 
that p £ active-pkts {(3) and let h £ intended (p, (3). It suffices to show that h £ completed{p, (3). 

First, we consider the case where h is the source of p. Since h £ intended (p, (3), Definition 4.2 
implies that the last rm-join-ack^ action in [3 is succeeded by a rm-sendh{p') action, where 
source{p') = source{p) and seqno{p') < seqno{p). If seqno{p') = seqno{p) and, consequently, p' = p, 
then it is the case that the last rm-join-ack/j action in (3 is succeeded by a rm-sendh{p) action. 
By Definition 4.3, it follows that h £ completed (p, (3), as needed. If seqno(p') < seqno(p), then 
Lemma 4.3 implies that the transmission of p in (3 succeeds the transmission of p' in (3. Since the 
rm-sendh(p') action succeeds the last rm-join-ack^ action in (3, so does the rm-sendh{p) action. 
By Definition 4.3, it follows that h £ completed (p, (3), as needed. 

Second, consider the case where h is not the source of p. Since h £ intended(p, f3), Definition 4.2 
implies that the last rm-join-ack/j action in (3 is succeeded by a rm-recv^p') action, where 
source(p') = source(p) and seqno(p') < seqno(p). If seqno(p') = seqno(p) and, consequently, 
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p' = p, then it is the case that the last rm-join-ack/j action in (3 is succeeded by a rm-recv h{p) 
action. By Definition 4.3, it follows that h G completed (p, (3), as needed. 

Now, consider the case where seqno{p') < seqno{p). Let (s'_,tt, s',) be the discrete transition 
in a corresponding to the particular occurrence of the rm-recvh{p') action in [3 and a' be the 
suffix of a that starts in the post-state s' + of (s'_,ir, s' + ). Moreover, let s<y be any state in a'. 
Since h G intended (p, (3), Lemma 4.7 implies that h G members{(3). Since a' succeeds the last 
rm-join-ack/j action in a, Lemma 4.6 implies that h G s a r. members. Since h ^ source(p), it 
follows that h G s a > .member s\{ source (p)} . The precondition and the effects of the rm-recvh{p') 
action imply that id(p) G s' + . expected (h, source (p)). Moreover, Lemma 4.14 implies that id{p) G 
s a i. expected (h, source(p)). 

Moreover, let (s",7T, s'i.) be the discrete transition in a corresponding to the occurrence of the 
rm-sendh'(p) action in (3, for b! = source(p), and a" be the suffix of a that starts in the post-state 
s'i. of (s'L,tt,s'{). Moreover, let s a » be any state in a". Lemma 4.12 implies that p G s'+.sent-pkts 
and Lemma 4.13 implies that p G s a ".sent-pkts. 

Now, let a* be any timed execution fragment that is a common suffix of a' and a" and let 
s* be any state in a*. Since h G s a i.members\{source(p)}, p G s a ".sent-pkts, and id{p) G 
s a '. expect ed(h, source (p)), it is the case that h G s* .members\{source(p)}, p G s* .sent-pkts, and 
id(p) G s* .expected (h, source (p)). Thus, the rm-recvh{p) action is enabled in s*; that is, the 
rm-recv h(p) action is enabled in any state in a*. 

Since a* is a suffix of a and a is an admissible timed execution of RMs(A), it is the case that 
a* is infinite. Since the rm-recv h{p) action is enabled in any state of a*, the rm-recv h(p) action 
is enabled infinitely often in a*. Since a is fair, the rm-recv/j(p) action occurs in a*. Thus, the 
rm-recv/j(p) action succeeds the last rm-join-ack/j action in a. By Definition 4.3, it follows that 
h G completed (p, (3), as needed. H 

The following theorem defines the pairwise eventual delivery property of RMg(A). It states that 
if two hosts are members of the reliable multicast group, become aware of the packet p, remain 
members of the group thereafter, and one of them delivers p, then so does the other. The pairwise 
eventual delivery is equivalent to the eventual delivery property defined in Theorem 4.15. 

Corollary 4.16 (Pairwise Eventual Delivery) Let [3 be any fair admissible timed trace of 
the RMg(A) automaton, for any A G R-° U oo, that contains the transmission of a packet 
P ^ -Prm-Client an d the hosts h,h' G H,h ^ h! be any two distinct hosts in the intended delivery set 
of p within (3. Then, if h delivers p within (3, then so does h! . 

Proof: Since h is in the intended delivery set of p within (3 and it delivers p within (3, it follows 
that p is active within f3; that is, p G active-pkts{(3) . Since h! is in the intended delivery set of p 
within (3, Theorem 4.15 implies that h! delivers p within (3. H 

The following theorem defines the notion of time-bounded delivery; that is, the property that any 
packet that remains active for at least A G R- time units past its transmission is delivered within 
these A time units to all hosts that become aware of it within these A time units. 

Theorem 4.17 (Time-Bounded Delivery) Let (3 be any admissible timed trace of RM(A) x 
rmClients, for any A G R- ; that contains the transmission of a packet p G -Prm-Client- Let (3' 
be the finite prefix of (3 ending with the transmission of p; that is, the last action contained in (3 1 
is the action rm-send^(p), for h G H,h = source{p). Let (3" be any finite prefix of (3, such that 
(3' < (3" < (3 and t' + A < t" , with t',t" G R-° being the time of occurrence of the last actions 
of P' and 13" , respectively. Suppose that the host h! is in the intended delivery set of p within (3" 
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and that the packet p is active within j3" . Then, the host h delivers the packet p within j3" ; that is, 
h! G completed{p, (3") . 

Proof: Let a be any admissible execution of RM(A) x rmClients such that (3 = ttrace{a). 
Moreover, let a' and a" be finite prefixes of a such that a' < a" < a, (3' = ttrace(a'), 
[3" = ttrace{a"), and the last actions in a' and a" are the last actions in (3' and (3" , respectively. 
Finally, let s' and s" be the last states of a' and a" , respectively. 

Since t! + A < t" , it follows that s" .trans-time{p) + A < s" .now. Since p G active-pkts (P") , 
Lemma 4.10 implies that p G s" .active-pkts. Since p £ s" .active-pkts and s" .trans-time{p) + A < 
s" .now, Invariant 4.3 implies that s" .intended{p) C s" .completed (p). Lemmas 4.8 and 4.9, imply 
that intended (p, (3") C completed (p, (3"). Finally, since h! G intended(p, (3"), it follows that 
hi G completed{p, /?"); that is, the host /i' delivers the packet p within /?". I 



5 Reliable Multicast Implementation (RMI) 

In this section, we present RMI - - a formal model of the Scalable Reliable Multicast (SRM) 
protocol [1] . RMI precisely specifies the behavior of the basic version of SRM — more sophisticated 
versions involve adaptive and local recovery schemes [1,5]. 

5.1 Overview of RMI's Functionality 

RMI consists of two distinct functional components: i) packet loss recovery, and ii) session message 
exchange. We proceed by describing each of these components. 

Packet Loss Recovery Receivers detect packet losses by identifying sequence number gaps in 
the stream of packets received from each source. Upon detecting the loss of a packet p, a host 
h initiates a new recovery round for p by scheduling a retransmission request for p. This request 
is scheduled for transmission at a point in time in the future that is uniformly chosen within the 
interval [C\dh s ,{Ci + C2)di ls ], where C\,C<i G R- are request scheduling parameters and dh s is 
half of h's round-trip-time (RTT) estimate to the source s of the packet p. 

Upon either the transmission of a request for p or the reception of a request for p while a request 
for p is pending transmission, the host h initiates a new recovery round for p by rescheduling the 
request for p for transmission at a point in time in the future that is uniformly chosen within the 
interval 2 k ~ 1 [C\d} ls , (C\ + C^d/J, where k G N + is the number of recovery rounds for p that h has 
already initiated. In effect, the request for p is rescheduled by performing an exponential back-off. 
If h receives p while a request for p is pending transmission, then the request for p is canceled. 

Once h reschedules its request for p, it observes a back-off abstinence period. During this period, 
it refrains from backing-off its request for p. Any requests for p received during this period are 
considered to pertain to prior recovery rounds and are discarded. Thus, back-off abstinence periods 
prevent requests from being backed-off multiple times by requests pertaining to the same recovery 
round. The back-off abstinence period for p expires at the point in time that is 2 C^dhs time 
units in the future, where k G N + is the number of recovery rounds for p that h has already initiated 
and C3 G R- is the back-off abstinence parameter. 

Our modeling of back-off abstinence periods departs slightly from SRM. Floyd et al. [1] propose 
two schemes for ensuring that requests are backed off only once per recovery round. The first 
scheme involves back-off abstinence periods that expire once half the time to the transmission time 
of the respective request has elapsed. Our use of a parameter for specifying how long to abstain 
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from backing off allows more tuning freedom. Moreover, having back-off abstinence periods expire 
once half the time to the transmission time of the respective request has elapsed allows for the 
back-off abstinence period to overlap the interval within which requests are scheduled. This seems 
to go against the intention of the abstinence period. Requests received within the interval within 
which the current request was scheduled, should be considered to be requests of the current round 
and, thus, should result in the rescheduling of the current request. The second scheme annotates 
requests with their recovery round and backs off requests only upon receiving a request pertaining 
to the same or, presumably, a later round. 

If a host hi receives a request for the packet p from the host h and it has already either 
sent or received p, then it schedules a reply for (retransmission of) p. This reply is scheduled 
for transmission at a point in time in the future that is uniformly chosen within the interval 
[Didh'hi {Di + D2)df l >h]i where D\,D2 £ R- are reply scheduling parameters and dyn is half of 
/i"s RTT estimate to h (the requestor of p). If hi receives a reply for p while its own reply for p is 
pending transmission, then hi cancels its own reply for p. 

Once hi either receives a reply for p or retransmits p itself, it observes a reply abstinence period; 
a period during which it refrains from scheduling replies to requests for p. The reply abstinence 
period for p expires at the point in time that is D^dhw time units in the future, where D3 £ R-° is 
the reply abstinence parameter. The reply abstinence period prevents multiple requests pertaining 
to a given recovery round from generating multiple replies. 

Session Message Exchange The reliable multicast group members periodically exchange 
session messages. These messages carry transmission state and timing information that allow 
the prompt detection of packet losses and the calculation of inter-host distance estimates; within 
SRM, inter-host distances are quantified by the one-way transmission latency between hosts. For 
simplicity, we assume that hosts transmit session messages with a fixed period. In practice however, 
so as to limit the overhead associated with the exchange of session messages, the frequency of session 
message transmission is reduced as the size of the reliable multicast group grows. 

Receivers detect packet losses by detecting sequence number gaps in the stream of packets received 
from each source. However, this approach presumes either that later packets within the sequence 
of transmitted packets are received, or that receivers get informed of the transmission progress 
of each source through a separate service. Unfortunately, relying solely on the reception of later 
packets may result in long recovery latencies. This is evident when the total number of packets 
within a sequence is unknown a priori and either long transmission pauses, or long loss bursts are 
considered. Session messages mitigate this problem by allowing reliable multicast group members to 
exchange transmission progress state, in terms of ADU sequence numbers that they have observed 
with respect to each source. Discrepancies in the observed transmission progress for each source 
by each host reveal whether and which packets a particular host is missing. 

In addition to contributing to packet loss detection, session messages are used to calculate inter-host 
distance estimates. Hosts estimate the one-way transmission latencies between them by exchanging 
timing information through their session messages. For the purposes of illustration, we demonstrate 
how a host h calculates its distance estimate to a host b! . This calculation is initiated when the host 
h transmits a session message, p. This session message includes a field containing its transmission 
time t s . Let t' r denote the time the host hi receives p. Upon receiving p, b! records the times at 
which p was transmitted and received, i.e., it records a tuple of the form (t s , t' r ). Subsequently, the 
host b! includes the tuple {t s ,t' d ) within its next session message, p' , where t' d corresponds to the 
time elapsed since the host h! received p and the time h! transmits p' . Finally, letting t r denote the 
point in time that h receives p' , h estimates its distance dhh' to b! as (t r — t' d — t s )/2 time units. 

Although the above scheme for calculating inter-host transmission latencies is simple, it presumes 
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that inter-host transmission latencies are symmetric - - the one way inter-host transmission 
latency is estimated as half the round-trip-time (RTT) between hosts. Another drawback of this 
scheme is the dependence of its accuracy on the frequency of session message transmission. The 
frequency of calculating inter-host distance estimates is dictated by the frequency of session message 
transmission. Thus, if the frequency of session message transmission were adjusted based on the 
size of the reliable multicast group, then as the group would increase in size the accuracy of the 
inter-host distance estimates would drop. 

5.2 Formal Model of RMI 

Presuming the abstract view of the physical system introduced in Section 3, RMI involves the 
interaction of a set of client processes, one process per host, a set of reliable multicast processes, 
one process per host, and an IP multicast service component. The client processes are identical to 
those presented in Section 4. The reliable multicast processes execute the SRM protocol. The IP 
multicast service component encapsulates the behavior of all communication processes at all hosts 
and the underlying network and provides the best-effort multicast primitive. 

We model each reliable multicast process as four interacting components, each with distinct 
functionalities. The membership component manages the reliable multicast group membership of 
the host. It handles the join and leave requests of the client process and issues join and leave requests 
to the underlying IP multicast service. The IP buffer component buffers all packets either received 
from or to be transmitted using the underlying IP multicast service. The recovery component 
incorporates all the functionality pertaining to the detection and recovery of missing packets. 
Finally, the reporting component incorporates all the functionality pertaining to the exchange of 
session messages among the members of the reliable multicast group. Session messages are used to 
exchange transmission state and inter-host round-trip-time (RTT) information. This information 
aids the detection of losses, in particular during transmission gaps, and the calculation of inter-host 
round-trip-time estimates, which are required by the recovery component. 

Figure 5 depicts the interaction of the various components of RMI. The reliable multicast process 
SRM/j at each host h is the composition of the automata SRM-mem^, SRM-IPbuff/j, SRM-rec^, 
and SRM-rep/j. The reliable multicast implementation as a whole, denoted SRM, is the 
composition of the SRM processes and the underlying IP multicast service after hiding all output 
actions that are not output actions of the specification RM(A), for any A € R-° U oo; that is, 
SRM = hide^([[ heH SRM h x IPmcast), with $ = out(H h€H SRM h x IPmcast)\ou£(RM(A)). 
Finally, we define RM/ to be the composition of the reliable multicast implementation with all the 
client automata; that is, RMj = SRM x RM-Clients. 

5.2.1 Preliminary Definitions 

Figure 6 contains a list of set definitions that specify the format of the various types of packets 
used throughout the following sections. The set -Prm-Client represents the set of packets that may 
be transmitted by the client processes using the reliable multicast service. As defined in Section 4, 
for any packet p G Prm-Client the operations source(p), seqno(p), and data(p) extract the source, 
sequence number, and data segment corresponding to the packet p. For shorthand, we use the 
operation id(p) to extract the identifier of p; that is, its source and sequence number pair. 

The set -Psrm is comprised of all packets whose format is that used by the reliable multicast process. 
The format of each packet p £ -Psrm depends on its type. The type of the packet p, type(p), is 
one of the following: DATA, RQST, REPL, and SESS. The type of p denotes whether the packet is an 
original transmission, a repair request, a repair reply, or a session packet, respectively. Depending 
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Figure 5 Reliable Multicast Implementation Component Interaction 




on its type, the packet p supports a different set of operations. 

When the packet p is an original transmission, that is, when type{p) = DATA, p supports the 
operations sender(p), source(p), seqno(p), data(p), and strip{p). These operations extract the 
sender, source, sequence number, data segment, and ADU corresponding to p. In the case of 
original transmissions, it is the case that sender (p) = source{p). When p is a repair request, that 
is, when type{p) = RQST, p supports the operations sender(p), source(p), and seqno{p). These 
operations extract the sender, source, and sequence number corresponding to the packet p. When 
p is a repair reply, that is, when type(p) = REPL, p supports the operations sender(p), source(p), 
seqno(p), data(p), and strip(p). These operations extract the sender, source, sequence number, 
data segment, and ADU packet corresponding to p. For DATA, RQST, and REPL packets, we also use 
the operation id{p) to extract the identifier of p; that is, its source and sequence number pair. 

When the packet p is a session packet, that is, when type{p) = SESS, p supports the operations 
sender(p), time-sent(p), dist-rprt? (p) , dist-rprt(p,h), and seqno-rprts{p) . The operation sender{p) 
extracts the sender of the session packet. The operation time-sent{p) extracts the time the session 
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packet p was sent. The operation dist-rprt? '(p) extracts the set of hosts for which the session 
packet is distance reporting. The operation dist-rprt (p, h) extracts the distance report for h within 
p; that is, dist-rprt(p, h) corresponds to a tuple comprised of two elements: the time the most 
recently observed session packet sent by h was received by the sender of p and the time that 
elapsed between the reception of Ws session packet by the sender of p and the transmission of 
p. The operation seqno-rprts(p) extracts the state reports included in p; that is, seqno-rprts (p) 
corresponds to a set of tuples, each of which is comprised of two elements: the source and the 
maximum sequence number observed by the sender of p to have been transmitted by this source. 

The set -Pipmcast-Client represents the set of packets that may be transmitted by the clients of the 
IP multicast service. For any packet p £ Pipmcast-Client the operations source(p), seqno(p), and 
strip(p) extract the source, the sequence number, and the data packet encapsulated in p. 

The set Pipmcast is comprised of tuples, each of which describes the transmission progress of a 
particular packet transmitted using the IP multicast service. We refer to the tuples comprising 
-Pipmcast as IP multicast progress packets or transmission progress tuples. For any element pkt 
of Pipmcast; the operations strip(pkt), intended (pkt), completed (pkt), dropped(pkt) extract the 
packet, the intended delivery set, the completed delivery set, and the dropped set corresponding 
to pkt. Letting p = strip(pkt), the intended delivery set of pkt is the set of hosts that were and 
have remained members of the IP multicast group following the transmission of p. The completed 
delivery set of pkt is the set of hosts to which p has already been delivered. The dropped set of 
pkt is the set of hosts to which the IP multicast service can no longer deliver the packet p due to 
packet drops. 

Figure 7 contains a list of set definitions used throughout the following sections. 

5.2.2 The Membership Component — SRM-MEM^ 

The SRM-mem^ timed I/O automaton specifies the membership component of the reliable 
multicast process. Figures 8 and 9 present the signature, the variables, and the discrete transitions 
of SRM-MEM^. 

Variables The variable now £ R- denotes the time that has elapsed since the beginning 
of an execution of SRM-mem^. The variable status captures the status of the host h. It 
evaluates to one of the following: idle, join-rqst-pending, join-pending, join-ack-pending, 
leave-rqst-pending, leave-pending, leave-ack-pending, member, and crashed. 

The value idle indicates that the host h is idle with respect to the reliable multicast group; that 
is, it is neither a member, nor in the process of joining or leaving the reliable multicast group. The 
value join-rqst-pending indicates that SRM-mem^ has received a join request from the client 
but has yet to issue a join request to the underlying IP multicast service. The value join-pending 
indicates that SRM-MEM/j has issued a join request to the underlying IP multicast service and 
is awaiting a join acknowledgment. The value join-ack-pending indicates that SRM-MEM/, has 
successfully joined the underlying IP multicast service but has yet to issue a join acknowledgment 
to the client. The value member indicates that the host h is a member of the reliable multicast 
group. The value leave-rqst-pending indicates that SRM-mem^ has received a leave request 
from the client but has yet to issue a leave request to the underlying IP multicast service. The 
value leave-pending indicates that SRM-mem^ has issued a leave request to the underlying IP 
multicast service and is awaiting a leave acknowledgment. The value leave-ack-pending indicates 
that SRM-mem^ has successfully left the underlying IP multicast service but has yet to issue a 
leave acknowledgment to the client. The value crashed indicates that the host h has crashed. 
While the host h has not crashed, we say that it is operational. Once the host h crashes, none 
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Figure 6 SRM Packet Definitions 



PrM-Client = Set of packets such that Vp£ -Prm-Cliekt 
source(p) £ H 
seqno(j>) £ N 
data(p) £ {0, 1}* 

id(p) EflxH: id(p) = (source{p), seqno(p)) 
suffix(p) = {{s,i) £ H X N | source(p) = s A seqno(p) < i} 

-Prm-Cliekt [^] = {p G Prm-Client I source (p) = fe} 

Psrm = Set of packets such that Vp£ Psrm 
type(p) £ {DATA, RQST, REPL, SESS} 
DATA : 

sender(p) £ -ff 

source(p) £ -ff 

seqno(p) £ N 

data(p) £ {0, 1}* 

strip (p) £ -Prm-Client 

id(p) £ff xH: *rf(p) = {source(p), seqno(p)) 
RQST : 

sender(p) £ -ff 

source(p) £ -ff 

seqno(p) £ N 

irf(p) Eflxl: *(i(p) = (source(p), seqno(p)) 
REPL : 

sender(p) £ -ff 

■source(p) £ i? 

seqno(p) £ N 

data(p) £ {0, 1}* 

strip(p) £ Prm-Client 

irf(p) EflxM: *rf(p) = (source(p), seqno(p)) 
SESS : 

sert(ier(p) £ H 

time-sent(p) £ M-° 

dist-rprt? (p) C i? 

dist-rprt(p, h) £ {(4, i'> | t, 4' £ R^ }, for all A £ H 

seqno-rprts(p) C {(s,i) | s 6 H, j £ N} 

PiPmcast-Client = Set of packets such that Vp £ Pipmcast-Client: 
source(p) £ i? 
seqno{p) £ N 
strip(p) £ {0, 1}* 

Pipmcast = Set of packets such that \f pkt £ Ptp MC ast : 
strip(pkt) £ Pipmcast-Client 
intended(pkt) C _ff 
completed(pkt) C i? 
dropped(pkt) C // 



Figure 7 SRM Set Definitions 



Pending-Rqsts = {(s,i,t) \ s e H,i e N,t t= R^ } 
Scheduled-Rqsts = {{s,i,t,k) | s £ H, i £ N, t £ R^°,fc £ N} 
Pending-Repls = {(s,i,t) | s £ ff, i £ N,i £ M^ } 
Scheduled-Repls = {(s,i,t,r) \ s,r £ H, i £ N, t £ M^ } 

SRM-Status = {idle, member, crashed} 

Joining = {join-rqst-pending, join-pending, join-ack-pending} 

Leaving = {leave-rqst-pending, leave-pending, leave-ack-pending} 

SRM-Mem-Status = SRM-Status U Joining U Leaving 

Action- Pending = {join-rqst-pending, join-ack-pending, leave-rqst-pending, leave-ack-pending} 



IPmcast-Status = {idle, joining, leaving, member, crashed} 
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Figure 8 The SRM-MEM/, Automaton — Signature 

Parameters: 

he H 
Actions: 



input 

crash,, 

mi-join,! 

rm-leave,, 

mjoin-ack,j 

mleave-ackft 



output 

mjoiiift 
mleave/j 
rm-join-ack^ 
rm-leave-ack^ 
time-passage 





v(t), for t SR-° 




Figure 9 The SRM-mem^ Automaton - 


Variables and Discrete Transitions 


Variables: 


now £ M— °, initially now = 

status £ SRM-Mem-Status , initially status = idle 


Discrete Transitions: 



input crash/, 

eff status := crashed 

input rm-join/, 

eff if status = idle then 

status := join-rqst-pending 

input rm-leave^ 

eff if status £ Joining U {member} then 
status := leave-rqst-pending 

input mjoin-ackjj 

eff if status £ Joining then 

status := join-ack-pending 

input mleave-ack^ 

eff if status £ Leaving then 

status := leave-ack-pending 



output mjoin^ 

pre status = join-rqst-pending 
eff status := join-pending 

output mleave^ 

pre status = leave-rqst-pending 
eff status := leave-pending 

output rm-join-ackft 

pre status = join-ack-pending 
eff status := member 

output rm-leave-ack,, 



pre status 
eff status 



leave-ack-pending 
= idle 



time-passage i/(t) 

pre status £ Action- Pending 
eff now := now + t 



of the input actions of SRM-memj, affect the state of SRM-mem^ and none of the internal and 
output actions of SRM-mem^, except the time passage action, are enabled. 

Input Actions The input action crash/j models the crashing of SRM-MEM^. The effects of 
crash/j are to set the u variable to False, denoting that SRM-mem^ has crashed. 

The input action rm-join/! models the client's request to join the reliable multicast group. It is 
effective only when the host h is idle with respect to the reliable multicast group. If the client 
h is already either a member of, or in the process of joining, the reliable multicast group (that 
is, status G Joining U {member}), then the scheduling of rm-join^ is superfluous. If the client h 
is already in the process of leaving the reliable multicast group (that is, status G Leaving), then 
rm-join^ is ignored so as to allow the ongoing process of leaving the reliable multicast group to 
complete. When effective, rm-join/j initiates the process of joining the reliable multicast group by 
setting the status variable to join-rqst-pending. 

The input action rm-leave/j models the client's request to leave the reliable multicast group. 
It is effective only when the host h is either a member of, or in the process of joining, the 
reliable multicast group. If the host h is either already in the process of leaving, or idle with 
respect to the reliable multicast group, then the rm-leave^ action is superfluous. When effective, 
rm-leave^ initiates the process of leaving the reliable multicast group by setting the status variable 
to leave-rqst-pending. 
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The input action mj oin-ack^ acknowledges that the host h has successfully joined the underlying IP 
multicast group. It is effective only when the host h is in the process of joining the reliable multicast 
group; that is, when status £ Joining. When effective, mjoin-ack^ enables the I/O component to 
acknowledge the client's join request by setting the status variable to join-ack-pending. 

The input action mleave-ack/j acknowledges that the host h has successfully left the underlying 
IP multicast group. It is effective only when the host h is in the process of leaving the reliable 
multicast group; that is, when status G Leaving. When effective, mleave-ack/j sets the status 
variable to leave-ack-pending. Thus, it enables the I/O component to acknowledge the client's 
leave request. 

Output Actions SRM-MEM/, initiates the process of joining of the underlying IP multicast group 
by scheduling the output action mjoin^. This action is enabled whenever the client has effectively 
requested to join the reliable multicast group; that is, when status = join-rqst -pending. Its 
effects are to record the fact that SRM-mem^ has requested to join the IP multicast group; that 
is, it sets the status variable to join-pending. Joining the underlying IP multicast group is not 
always immediate. In order for the IP multicast service to forward packets to the host h, it may 
have to extend the IP multicast tree to include the host h. The time involved in extending the IP 
multicast tree to include the host h heavily depends on the location of the host h and the reach of 
the current IP multicast tree. 

SRM-mem/j initiates the process of leaving of the underlying IP multicast group by scheduling 
the output action mleave/j. This action is enabled whenever the client has effectively requested to 
leave the reliable multicast group; that is, status = leave-rqst-pending. Its effects are to record 
the fact that SRM-MEM^ has requested to leave the IP multicast group; that is, it sets the status 
variable to leave-pending. 

SRM-MEM/, acknowledges the client's request to join the reliable multicast group by scheduling the 
rm-join-ack/j output action. This action is enabled whenever the join acknowledgment is pending; 
that is, status = join-ack-pending. Time is not allowed to elapse while a join acknowledgment is 
pending. Thus, a join acknowledgement is sent immediately after SRM-mem/j determines that it 
has successfully joined the IP multicast group. 

SRM-mem/j acknowledges the client's request to leave the reliable multicast group by scheduling 
the rm-leave-ack/j output action. This action is enabled whenever the leave acknowledgment 
is pending; that is, status = leave-ack-pending. Time is not allowed to elapse while a leave 
acknowledgment is pending. Thus, a leave acknowledgement is sent immediately after SRM-mem^ 
determines that it has successfully left the IP multicast group. 

Time Passage The action v{t) models the passage of t time units. Time is prevented from 
elapsing while there are pending actions — either pending requests to join or leave the underlying 
IP multicast group, or pending acknowledgments that the client has successfully joined or left the 
reliable multicast group. The effects of the i/(t) action are to increment the variable now by t time 
units. 

5.2.3 The IP Buffer Component — SRM-IPbuff/j 

The SRM-IPbuff^ timed I/O automaton specifies the IP buffer component of the reliable multicast 
process. Figures 10 and 11 present the signature, the variables, and the discrete transitions of 

SRM-IPBUFF h . 
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Figure 10 The SRM-IPbuff„ Automaton 

Parameters: 

h£H 
Actions: 



Signature 



input 

crashf, 

rm-join-ack^ 

rm-leavef, 

mrecv h (p), for p £ Pipmcast-Client 

rep-msend h (p), for p £ Psrm 

rec-msendh(p), for p £ -PsRM 



output 

process-mpkt^(p), for p £ -PsRM 
msend h (p), for p £ Pipmcast-Client 
time-passage 
v{t), for te K-° 



Figure 11 The SRM-IPbuff„ Automaton — Variables and Discrete Transitions 



Variables: 



now £ K— °, initially now = 

status £ SRM-Status, initially status = idle 

seqno £ N, initially seqno = 

msend-buff C Pipmcast-Client, initially mrecv-buff = 

mrecv-buff C Pipmcast-Client , initially mrecv-buff = 



Discrete Transitions: 



input crashft 
eff status := crashed 

input rm-join-ackh 
eff if status ^ crashed then status := member 

input rm-leavef, 

eff if status ^ crashed then 

Reinitialize all variables except now and seqno. 

input mrecvh(p) 

eff if status = member then mrecv-buff U= {p} 
input rep-msendh(p) 
eff if status = member then 

msend-buff U= {comp-IPmcast-pkt(h, seqno, p)} 
seqno := seqno + 1 



input rec-msendft(p) 

eff if status = member then 

msend-buff U= {comp-IPmcast-pkt(h, seqno, p)} 
seqno := seqno + 1 

output process -mpktj^p) 

choose pfci £ Pipmcast-Client 

pre status = member A pkt £ mrecv-buff A p = strip(pki) 

eff mrecv-buff \= {pkt} 

output msend^(p) 

pre status = member A p £ msend-buff 
eff msend-buff \= {p} 

time-passage i/(t) 

pre status = crashed V {msend-buff = A mrecv-buff = 0) 
eff now := now + £ 



Variables The variable now £ M-° denotes the time that has elapsed since the beginning of an 
execution of SRM-IPbuff^. The variable status captures the status of the host h. It evaluates to 
one of the following: idle, member, and crashed. While the host h has not crashed, we say that 
it is operational. Once the host h has crashed, none of the input actions of SRM-IPbuff^ affect 
the state of SRM-IPbuff/j and none of the internal and output actions of SRM-IPbuff/j, except 
the time passage action, are enabled. The variable seqno 6 N is a counter of the number of packets 
transmitted by SRM-IPbuff/j using the underlying IP multicast service. 

The sets msend-buff and mrecv-buff are used to buffer all packets to be sent by and received from, 
respectively, the underlying IP multicast service. 

Input Actions The input action crash/i models the crashing of SRM-IPbuff^. The effects of 
crash^ are to set the status variable to crashed, denoting that the host h has crashed. After the 
host h has crashed, the SRM-IPbuff^ automaton does not restrict time from elapsing. 

The input action rm-join-ack/j informs the SRM-IPbuff„ automaton that the host h has joined 
the reliable multicast group. If the host h is operational, then the action rm-join-ack/j records 
the fact that the host h has joined the reliable multicast group by setting the variable status to 
member. 

The input action rm-leave/j informs the SRM-IPbuff/j automaton that the host h has left the 
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reliable multicast group. If the host h is operational, then the action rm-leave^ reinitializes all the 
variables of SRM-IPbuff^ except the variables now and seqno. 

The input action mrecv/j(p) models the reception of the packet p from the underlying IP multicast 
service. If the host h is a member of the reliable multicast group, then the mrecv^(p) action adds 
the packet p to the mrecv-buff buffer. Thus, the contents of the packet p may subsequently be 
processed by the reliable multicast service and, when appropriate, delivered to the client. 

The input actions rep-msend/^p) and rec-msend/ 4 (p) are performed by the reporting and recovery 
components, respectively, so as to transmit the packet p using the underlying IP multicast service. 
In the case of the rep-msend/j(p) action, the packet p is a session packet. In the case of a 
rec-msend^(p) action, the packet p is either a data, a request, or a reply packet. 

If the host h is a member of the reliable multicast group, then SRM-IPbuff/j encapsulates h, 
seqno, and p into a packet pkt, buffers pkt in msend-buff for transmission using the underlying IP 
multicast service, and increments seqno. In effect, the encapsulation of p annotates it with the host 
h and the value of seqno. Since the variable seqno is persistent across host joins and leaves, packets 
transmitted by the SRM-IPbuff/j automata, for h S H, are unique. 

Output Actions The output action process-mpkt^(p) models the processing of the packet p by 
the reporting and recovery components. It is enabled when the host h is a member of the reliable 
multicast group and there is a packet pkt in the mrecv-buff buffer, such that strip{pkt) = p. Its 
effects are to remove the element pkt from the mrecv-buff buffer. 

The output action msend^p) models the transmission of the packet p using the underlying IP 
multicast service. It is enabled when the host h is a member of the group and the packet p is in 
the msend-buff buffer. Its effects are to remove the packet p from the msend-buff buffer. 

Time Passage The action v(t) models the passage of t time units. Time is prevented from 
elapsing while the host h is operational and either of the buffers msend-buff and mrecv-buff is 
non-empty. The effects of the v(t) action are to increment the variable now by t time units. 

5.2.4 The Recovery Component — SRM-REC/j 

The SRM-REC/j timed I/O automaton specifies the recovery component of the reliable multicast 
service. Figure 12 presents the signature of SRM-REC/u that is, its parameters, and actions. 
Figure 13 presents the variables of SRM-REC/j. Figures 14 and 15 present the discrete transitions 
of SRM-rec^. In order to provide the appropriate context, the description of each of the parameters 
of SRM-REC/j is deferred to appropriate places within the description of its variables and actions. 

Variables The variable now G R-° denotes the time that has elapsed since the beginning of an 
execution of SRM-recv The variable status captures the status of the host h. It evaluates to 
one of the following: idle, member, and crashed. While the host h has not crashed, we say that 
it is operational. Each of the dist(h') £ R- variables, for h' £ H,h' / h, denotes the host /i's 
distance estimate to the host h! . Each of the dist{h!) variables are initialized to the parameter 
DFLT-DIST. Each of the min-seqno{h') £ N and max-seqno{h') £ N variables, for h! £ H, denotes 
the minimum and maximum ADU sequence numbers observed to have been transmitted by the 
host b! . The variable archived- pkts C Prm-Client x H^~° is comprised of pairs involving the ADUs 
that have either been sent by or buffered for delivery to the client at h and the first point in time 
at which each ADU has either been sent by or buffered for delivery to the client at h. The variable 
to-be-requested C H x N denotes the set of ADU packets that have been identified as missing and 

27 



for which a request has yet to be scheduled. The elements of to-be-requested are tuples of the form 
(s, i), with s £ H and i £ N denoting the source s and the sequence number i of the missing ADU. 

The set pending-rqsts C Pending-Rqsts is comprised of tuples that correspond to packets for which 
a request is pending; that is, a request for the particular packet has recently either been sent or 
received and a reply is being awaited. The tuples of pending-rqsts are of the form (s,i,t), with 
s £ H, i eN,t £ R-°; s and % represent the source and sequence number of the packet whose 
request is pending and t represents the back-off abstinence deadline; that is, the time before which 
the request timeout timer for the given packet may not be backed off. A pending request expires 
when time elapses past its back-off abstinence timeout. Prior to its expiration, a pending request 
is said to be active. 

The set scheduled-rqsts C Scheduled- Rqsts is comprised of tuples that correspond to packets for 
which a request has been scheduled and is awaiting transmission. The tuples of scheduled-rqsts are 
of the form (s,i,t,k), with s £ H, i £ N,£ £ M.—°,k £ N; s and i correspond to the source and 
sequence number of the packet to be requested, t is the time for which the request is scheduled 
for transmission, and k is the number of times a request for the given packet has already been 
scheduled. 

The set pending-repls C Pending-Repls is comprised of tuples that correspond to packets for which 
a reply has recently been either sent or received. The tuples of pending-repls are of the form (s, i, t), 
with s £ H, z £ N, £ £ R-°; s and i correspond to the source and sequence number of the packet for 
which a reply has already been either sent or received and £ is the abstinence timeout of the reply; 
that is, a deadline before which replies for the given packet may not be scheduled by the host h. 
A pending reply expires when time elapses past its abstinence timeout. Prior to its expiration, a 
pending reply is said to be active. 

The set scheduled-repls C Scheduled-Repls is comprised of tuples that correspond to packets for 
which a reply has been scheduled and is awaiting transmission. The tuples comprising the set 
scheduled-repls are of the form (s,i,t,r), with s,r £ H, i £ N, £ £ R-°; s and i correspond to the 
source and sequence number of the packet to be retransmitted, £ is the time for which the reply is 
scheduled for transmission, and r is the host whose request induced the scheduling of the particular 
reply. 

The set to-be-delivered C Prm-Client is used to buffer the packets that are to be subsequently 
delivered to the client. The set msend-buff C Psrm is used to buffer the packets that are to 
be subsequently multicast using the underlying IP multicast service; that is, it contains the data 
packets of the client and the requests and replies of the recovery component to be transmitted by 
the host h. 

Derived Variables The derived variable proper? (h 1 ), for h! £ H, is the set comprised of the 
identifiers of the packets from h! whose sequence numbers are no less than min-seqno(h'). The 
derived variable window?(h'), for h! £ H , is the set comprised of the identifiers of the packets from 
h! whose sequence numbers are no less than min-seqno{h') and no greater than max-seqno{h') . 

The derived variable archived-pkts? C H x N identifies all the packets for which there is a 
corresponding tuple in the set archived-pkts. The derived variable archived-pkts? {h') C H x N, 
for h! £ H, identifies all the packets from h! for which there is a corresponding tuple in the set 
archived-pkts. 

The derived variable to-be-requested{h') C H x N, for h! £ H, identifies all the packets from h! 
that are in the set to-be-requested. The derived variable to-be-delivered? C H x N identifies all the 
packets for which there is a corresponding tuple in the set to-be-delivered. The derived variable 
to-be-delivered? {h') C H x N, for hi £ H, identifies all the packets from h! that are in the set 
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Figure 12 The SRM-RECh Automaton — Signature 

Parameters: 

h £ H,C 1 ,C 2 ,C 3 ,D 1 ,D 2 ,D 3 £R^°,DFLT-DIST£ R-° 



Actions: 



input 

crash^ 

rm-join-ack^ 

mi-leave^, 

rm-send h (p), for p £ Prm-Client 

rep-dist h (/i', d'), for ti £ H,ti ^ h, d' £ K-° 

rep-seqno/j(s, i), for s£ff,s^/i,i6N 

process-mpkt h (p), for p £ P SRM 



time-passage 

i/(t), for t £ E^° 
internal 

schdl-rqstj l (s, i), for s£H,i£H 
send-rqst/j(s, j), for sEfl,i£N 
send-repl/j(s, i), for s £ H, i £ N 
output 

rm-recv h (p), for p £ Prm-Client 
rec-msend/j(p), for p £ Psrm 



Figure 13 The SRM-rec^ Automaton — Variables 



Variables: 



now £ M.— , initially now = 

status £ SRM-Status, initially status = idle 

dist(h') £ R^°, for all ft' £ H,h' ^ h, initially dist(h') 



: DFLT-DIST, for all h' £ H,ti ^ ft 



min-seqno(h') £ N U _L, for all fe' £ fl", initially min-seqno(h') = 
max-seqno(h') £ N U _l_, for all /i' £ _ff, initially max-seqno(h') - 
archived-pkts C Prm-Client X K— °, initially archived-pkts = 
to-be-requested CHxN, initially to-be-requested = 
pending-rqsts C Pending- Rqsts , initially pending-rqsts = 
scheduled-rqsts C Scheduled- Rqsts, initially scheduled-rqsts = 
pending-repls C Pending- Repls, initially pending-repls = 
scheduled-repls C Scheduled- Repls, initially scheduled-repls = 
to-be-delivered C Prm-Client, initially to-be-delivered = 
msend-buff C Psrm, initially msend-buff = 



for all ft'eif 
, for all h' £ H 



Derived Variables: 



for all /i' £ //, proper? (h 1 ) 



if) 



for all ft' £ .ff, window?{h') 



if min-seqno(h') =_L 
h' , min-seqno(h') < i} otherwise 

if min-seqno(h') 
- h' ,min-seqno(h') < i < max-seqno(h')} otherwise 

_" ■ /^ /\ £Z nowti ni\£>s1 -V\b*-ha A nil nl — /o -/\ L 



{(s,i) £ H x N | s = 

'0 
{(s,i> e//xN|s 
archived-pkts? = {{s,i} £ H X N | 3p £ Prm-Client,* £ R- U : (p, *) £ archived-pkts A id(p) 
archived-pkts? (h') = {(s,i) £ archived-pkts? \ s = h'}, for all h' £ _ff 
to-be-requested(h') = {{s, i) £ to-be-requested \ s = h'}, for all h' £ H 
to-be-delivered? = {(s, i) £ i? X N | 3p £ to-be-delivered : (s,i) = id(p)} 
to-be-delivered? (h') = {(s,i) £ to-be-delivered? \ s = h'}, for all /i' £ H 
scheduled-rqsts? = {(s, i) £ H X N | 3 t £ E-°, fe £ N : (s, i, t, k) £ scheduled-rqsts} 
scheduled-rqsts? (h 1 ) = {(s,i) £ scheduled-rqsts? \ s = h'} 

scheduled-repls? = {{s,i) £ H X N | 3 t £ R-°,r £ _f/ : (s,i,t,r) £ scheduled-repls} 
pending-rqsts? = {(s, i) £ // X N | 3 t £ K— ° : now < t A (s, i, t) £ pending-rqsts} 
pending-repls? = {(s, i) £ H X N | 3 t £ M— ° : noui < t A (s, i, t) £ pending-repls} 

to-be-delivered? . 

The derived variable scheduled-rqsts? C iJ x N identifies all the packets for which there 
is a corresponding scheduled request tuple in the set scheduled-rqsts. The derived variable 
scheduled-rqsts? {h!) C H x N, for /i' G if, identifies all the packets from hi whose identifiers 
are in the set scheduled-rqsts? . The derived variable scheduled-repls? C H x N identifies all the 
packets for which there is a corresponding scheduled reply tuple in the set scheduled-repls. 

The derived variable pending-rqsts? CffxN identifies all the packets for which there is an active 
pending request; that is, there is a corresponding tuple in the set pending-rqsts whose back-off 
abstinence timeout has not yet expired. The derived variable pending-repls? C H x N identifies all 
the packets for which there is an active pending reply; that is, there is a corresponding tuple in the 
set pending-repls whose abstinence timeout has not yet expired. 
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Input Actions The input action crash^ models the crashing of the host h. The effects of crash^ 
are to set the status variable to crashed. Once the host h has crashed, none of the input actions 
of SRM-REC/j affect its state, none of the internal and output actions of SRM-REC/j are enabled, 
and time is not restricted from elapsing. 

The input action rm-join-ack^ informs the SRM-REC/j automaton that the host h has joined the 
reliable multicast group. If the host h is operational, then the rm-join-ack/j action records the 
fact that the host h has joined the reliable multicast group by setting the variable status to member. 
Subsequently, SRM-REC/j may transmit, process, and deliver packets and schedule packet requests 
and replies. 

The input action rm-leave^ informs the SRM-REC/j automaton that the host h has left the reliable 
multicast group. If the host h is operational, then the action rm-leave^ reinitializes all the variables 
of SRM-rec^ except the variable now. Subsequently, SRM-rec^ automaton ceases transmitting, 
processing, and delivering packets and scheduling packet requests and replies. 

The input action rm-send/j(p) models the transmission of the packet p by the client at h using 
the reliable multicast service, rm-send^(p) is effective only when the host h is a member of the 
reliable multicast group and the host h is the source of the packet p. If p is the first packet 
to be transmitted by the client since it last joined the reliable multicast group, the rm-send/j(p) 
action sets the min-seqno(h) variable to the sequence number of p. Otherwise, SRM-reC/j ensures 
that p corresponds to the next packet awaited; that is, the packet whose sequence number is one 
larger than the sequence number of the latest packet transmitted by h. If so, SRM-REC/j updates 
max-seqno(h), archives p, and generates a DATA packet to subsequently be transmitted to the other 
members of the reliable multicast group through the underlying IP multicast service. The operation 
comp-data-pkt(p) composes a DATA packet corresponding to the client packet p. 

Each input action rep-dist/ l (/i / , d'), for hi £ H,h' / h, d! € R-°, reports to SRM-RECh an 
updated distance estimate d' to h! . If the host h is a member of the reliable multicast group, then 
the rep-dist/i(/i', d!) action sets the variable dist{h') to the value d! . 

Each input action rep-seqno^(s,i), for s G H,s ^ h,i G N, reports to SRM-REC^ the 
latest observed sequence number i for the source s. If the host h is a member of the reliable 
multicast group, (s,i) corresponds to a proper packet, and i is greater than max-seqno(s), 
then the rep-seqno/j(s, i) action adds the packets from s with sequence numbers ranging from 
max-seqno(s) + 1 to i to the set to-be-requested and sets max-seqno(s) to i. 

The input action process-mpkt^(p) models the processing of the packet p by SRM-rec^. The 
packet p is processed only when the host h is a member of the reliable multicast group. We proceed 
by describing the effects of process-mpkt^(p) depending on the type of the packet p. When p is 
either a DATA, RQST, or REPL packet, we let s p £ H and i p £ N denote the source and the sequence 
number pertaining to the packet p. 

First, consider the case where p is a DATA packet. If h is not the source of p and p is the first 
packet from s p to be received by h, then the variables min-seqno{s p ) and max-seqno{s p ) are set 
to i p . Following this initial assignment of min-seqno{s p ) to i p , all DATA, RQST, and REPL packets 
pertaining to ADUs from s p with sequence numbers less than i p are considered improper and are 
discarded. Conversely, all DATA, RQST, and REPL packets pertaining to ADUs from s p with sequence 
numbers equal to or greater than i p are considered proper and are processed. 

The processing of packet p proceeds only while it is considered a proper packet. Unless either h 
is the source of p or p is already archived, p is archived by adding the tuple {(strip (p), now)} to 
archived- pkts. Unless h is the source of p, the ADU contained in p is buffered in to-be-delivered so 
that it may subsequently be delivered to the client. Thus, the reliable multicast process does not 
deliver packets sent by a client to itself. Moreover, the reliable multicast service may also deliver 
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Figure 14 The SRM-REC/j Automaton — Discrete Transitions 



input crashft 
eff status := crashed 

input rm-join-ack^ 
eff if status 7^ crashed then status := member 

input rm-leave^ 

eff if status ^ crashed then 

Reinitialize all variables except now. 

input rm-sendj l (p) 

eff if status = member A h = source(p) then 
{s p ,ip) = id(p) 

\\ Record foremost DATA packet 
if min-seqno(sp) =_L then min-seqno(s p ) := i p 
\\ Only consider next packet 
if max-seqno(sp) =_L 

VJ p = max-seqno(sp) + 1 
then 

max-seqno(sp) := i p 

\\ Archive packet 

archived-pkts U= {(p, now)} 

\\ Compose data packet 

msend-buff U = {comp-data-pkt(p)} 

input rep-dist^(/i', d') 

eff if status = member then 
dist(h') := d' 

input rep-seqno^(s, i) 

eff if status = member 

Amin-seqno(s) j^A. Amax-seqno(s) < i 
then 

to-be-requested U= 

{(s,i'} I i' £ N, max-seqno(s) < i' < i} 
max-seqno(s) := i 

internal schdl-rqstf,(s,i) 

pre status = member A (s, i) £ to-be-requested 
eff \\ Schedule new request 

k r := 1; d r := disi(s) 

t r :£ now + 2 k r- 1 {C 1 d r ,(C 1 + C 2 )d r ] 

scheduled-rqsts U= {(s, i, t r , &r}} 

\\ Pkt request has been scheduled 

to-be-requested \= {(s,i)} 



internal send-rqst^(s, j) 

choose t e R^°,k e N 
pre status = member 

At = noui A (s, i, i, fc) 6 scheduled-rqsts 
eff \\ Compose request packet 

ms end-buff U= {comp-rqst-pkt(h, (s,i))} 

\\ Back-off scheduled request 

scheduled-rqsts \= {(s, i,t, fc)} 

A; r := fc + 1; d r := dist(s) 

t r :£ now + 2 fc ''- 1 [Cid r ,(Ci +C* 2 )rfr] 

scheduled-rqsts U= {(s, i, t r , fc r )} 

\\ A request becomes pending 

pending -rqsts\= {(s,i,t t ) | t„ S R-} 

t r := now + 2 kr ~ 1 C-zd r 

pending-rqsts\J= {{s,i, t r )} 

internal send-repl^(s, i) 

choose t e R^°,r e H 
pre status = member 

At = now A (s, i, i, r) £ scheduled-repls 
eff \\ Compose reply packet 

choose p G Prm-Client, * £ K-° 

where (p,t) £ archived-pkts A id(p) = (s,i) 

msend-buff U= {comp-repl-pkt(h,p)} 

\\ A reply becomes pending 

pending -repls\= {(s,i,t t ) | t* £ R— °} 

trepi := now + D-j,dist{r) 

pending-repls\J= {(s,i,t rcp i)} 

\\ Cancel scheduled reply 

scheduled-repls \= {(s, i, i, r}} 

output rm-recv^(p) 

pre status = member A p £ to-be-delivered 
A(^ p' £ to-be-delivered : 

source(p') = source(p) A seqno(p') < seqno(p)) 
eff to-be-delivered \= {p} 

output rec-msendjj(p) 

pre status = member A p £ msend-buff 
eff msend-buff \= {p} 

time-passage i/(t) 
pre status = crashed 

V (to-be-requested = A to-be-delivered = 
Amsend-buff = 

A no requests scheduled earlier than now + £ 
A no replies scheduled earlier than now + 1) 
eff now := now + £ 



the same ADU to the client multiple times. The identifier of the ADU pertaining to p is removed 
from the to-be-requested set and any scheduled requests and replies for the ADU pertaining to p 
are canceled. Finally, unless h is the source of p, SRM-REC/i adds any trailing missing packets to 
the set to-be-requested, so that a request for each of them may subsequently be scheduled. 

Second, consider the case where p is a REPL packet. The processing of a a REPL packet is similar 
to that of a DATA packet. The differences are that p is processed only if it pertains to a proper 
ADU and that in addition to the effects of processing a DATA packet, a reply for the given ADU 
becomes pending. While this pending reply is active, SRM-RECfe does not schedule replies for the 
ADU pertaining to p. 

Third, consider the case where p is a RQST packet. Once again, p is processed only if it pertains to 
a proper ADU. If p pertains to an ADU that has been archived and for which a reply is neither 
scheduled, nor pending, then SRM-REC/j schedules a retransmission of the requested ADU. This 
retransmission is scheduled for a point it time in the future that is chosen uniformly within the 
interval now + [Did rep [, [D\ + D2)d rep i], with d rep i = dist (sender (p)). If p pertains to an ADU that 
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has not been archived, then the effects of process-mpkt/j(p) depend on whether there is a request 
for the given ADU already scheduled. If h is not the source of p and there is no request for the ADU 
of p already scheduled, then a request for the given ADU is scheduled. This request is scheduled for 
a point it time in the future that is chosen uniformly within the interval now + 2[C±d r , (C\ + C2)d r \ , 
with d r = dist(sp); that is, the request is scheduled as if a first round request is being backed off. 
If h is not the source of p, there is a request for the ADU of p already scheduled and there, are 
there are no pending requests for the ADU of p still active, then the request for the ADU of p 
that is already scheduled is exponentially backed off. When either a new request is scheduled or 
an existing request is backed-off, a request for the given ADU becomes pending with a back-off 
abstinence timeout equal to now + 2 1 C^d r , where k is the round of the rescheduled request and 
d r = dist(sp). Finally, unless h is the source of p, SRM-REC/j adds any trailing missing packets to 
the set to-be-requested, so that a request for each of them may subsequently be scheduled. 

Finally, in the case where p is a SESS packet, the process-mpkt^(p) action does not affect the state 
of SRM-REC/j; SESS packets are in effect discarded by the SRM-REC/j automaton. 

Internal Actions Each internal action schdl-rqst/ l (s,i), for s £ H,s 7^ h,i € N, schedules a 
request for the packet (s, i). The precondition of the schdl-rqst/j(s, i) action is that the host h is a 
member of the reliable multicast group and the tuple (s, i) is in the set to-be-requested. The effects 
of the schdl-rqst/j(s, i) action are to schedule a new request for a point in time in the future that 
is chosen uniformly within the interval now + [C±d r , (C\ + C2)d r ], with d r = dist(s), and to remove 
the tuple (s,i) from the set to-be-requested. 

Each internal action send-rqst^(s, i), for s £ H,i £ N, models the expiration of the transmission 
timeout of a scheduled request for the packet (s,i). The precondition of send-rqst^(s, i) is 
that the host h is a member of the reliable multicast group and a previously scheduled request 
for the packet (s, i) has expired; that is, there is a tuple {s, i, t, k) in scheduled-rqsts such that 
t = now. Let the tuple (s,i,t,k) be the element of scheduled-rqsts corresponding to the packet 
(s,i). send-rqst/j(s, i) composes a request packet and adds it to the buffer msend-buff . The 
operation comp-rqst-pkt(h, (s,i)) composes a RQST packet from h for the packet (s,i). 

Moreover, the request (s,i,t,k) is backed off and a request for the given ADU becomes pending. 
The timeout timer of the rescheduled request is set to a point it time in the future that is chosen 
uniformly within the interval now + 2 kr ~ l [C\d r , (C\ + C2)d r \ and the back-off abstinence timeout 
of the pending request is set to now + 2 kr ~ 1 C%d r , with k r = k + 1 and d r = dist(s). 

Each internal action send-repl^(s, i), for s £ H, i S N, models the expiration of the transmission 
timeout of a scheduled reply for the packet (s, i). The precondition of send-repl^(s, i) is that the 
host h is a member of the reliable multicast group and a previously scheduled reply for the packet 
(s,i) has expired; that is, there is a tuple (s,i,t,r) in scheduled-repls such that t = now. Let the 
tuple (s, i, t, r) be the element of scheduled-repls corresponding to the packet (s, i). send-repl/^s, i) 
composes a reply packet and adds it to the buffer msend-buff . The operation comp-repl-pkt(h, p) 
composes a REPL packet from h for the packet p. 

Moreover, the tuple corresponding to (s, i) is removed from the set scheduled-repls and a tuple 
corresponding to {s,i) is added to the set pending-repls . The reply abstinence timeout of this 
pending reply is set to now + D%dist(r). This pending reply prevents the scheduling of replies for 
the given ADU for D%dist{r) time units. 

Output Actions Each output action rm-recv/j(p), for p £ -Prm-Clientj models the delivery of 
the packet p to the client. It is enabled when the host h is a member of the reliable multicast group 
and the packet p is the packet in the to-be-delivered buffer with the smallest sequence number. 
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Figure 15 The SRM-RECh Automaton — Discrete Transitions (Cnt'd) 



input process-mpktjj(p) 

where type(p) = DATA 

eff if status = member then 

{s p ,ip) = id{p) 

\\ Record foremost DATA packet 

if h ^ s p A min-seqno(sp) =_L then 

min-seqno(sp) := i p ; max-seqno(s p ) := i p 

\\ Only consider proper packets 

if min-seqno(sp) ^_L Amin-seqno(s p ) < i p then 
\\ Archive and deliver packet 
if h 7^ Sp A (sp,i p ) £ archived-pkts? then 

archived-pkts\J= {{strip (p), now)} 
if h 7^ s p then to-be-delivered U= {strip(p)} 
\\ Pkt need not be requested 
to-be-requested \= {(s p , i p )} 

\\ Cancel any scheduled requests and replies 
scheduled-rqsts\= {(s p ,i p ,t,k) \ t G M-°,A: G N} 
scheduled-repls\= {(sp,i p ,t,r) \ t G R-°,r G H} 
\\ Cancel any pending requests 
pending-rqsts \= {{s p ,i p ,t) \ t £l- } 
\\ Discover any trailing missing packets 
if h 7^ Sp A max-seqno(sp) < i v then 
to-be-requested U = 

{(s p , i) | i G N, max-seqno(sp) < i < i p } 
max-seqno(s p ) := i p 

process-mpkth(p) 
type(p) = REPL 



input process-mpkt(,(p) 

where type(p) = RQST 

eff if status = member then 

(s p ,ip) = id(p) 

\\ Only consider proper packets 
if min-seqno(sp) t^_L Amin-seqno(s p ) < i p then 
if h 7^ Sp then 

if (s p , ip) G archived-pkts? then 
if (s p ,ip) £ scheduled-repls? 
A(s p ,ip) £ pending-repls? 
then 

\\ Schedule a new reply 
drepl '■= dist{sender(p)) 



' rcpl 



:G now + [Dxdrepi, (£>i + D 2 )d 



* rcpli 



input 

where 

eff if status = member then 



} 



(s p ,ip) = id(p) 

\\ Only consider proper packets 

if min-seqno(sp) ^_L Amin-seqno(s p ) < i p then 
\\ A reply becomes pending 
pending-repls \= {(s p ,ip,t t ) | i* G R— } 
trcpl '■= now + D:jdist(s p ) 
pending-repls U = {{s p ,ip, t rcp i ) } 
\\ Archive and deliver packet 
if h 7^ s p A (s p ,ip) £ archived-pkts? then 

archived-pkts U= {(strip(p), noio)} 
if h y^ s p then to-be-delivered U= {strip(p)} 
\\ Pkt need not be requested 
to-be-requested \= {{s p ,i p )} 

\\ Cancel any scheduled requests and replies 
scheduled-rqsts\= {(s p ,i p ,t,k) \ t G R-°,k G N} 
scheduled-repls \= {(s p ,i p ,t,r) \ t G R— °,r G -ff} 
\\ Cancel any pending requests 
pending-rqsts \= {(s p ,i p ,t) \ t G K— °} 
\\ Discover any trailing missing packets 
if h 7^ Sp A max-seqno(sp) < i p then 
to-be-requested U = 

{(s p , i) | i G N, max-seqno(sp) < i < i p } 
max-seqno(sp) := i p 



r rep i := sender(p) 
scheduled-repls U= {(sp,« p , t rep i,r re pi^} 
else 

if (s v ,ip) £ scheduled-rqsts? then 
\\ Schedule a backed-off request 
k r := 2; d r := dist(sp) 
t r :g nou> + 2 fc '-- 1 [Cid r ,(C*i + C 2 )d r ] 
scheduled-rqsts U= {(sp, i p ,t r , k r )} 
\\ Pkt request has been scheduled 
to-be-requested \= {(s p ,i p )} 
\\ A request becomes pending 
pending-rqsts \= {(s p ,i p ,t*) \ t„ S 
t r := noui + 2 kr ~ 1 C-j,d r 
pending-rqsts U= {(s P , %>, t r )} 
else 

if (sp,i p ) ^ pending-rqsts? then 
\\ Backoff scheduled request 
choose t G R^°,k G N 

where {s p ,i p ,t,k) G scheduled-rqsts 
scheduled-rqsts \= {{s p , i p ,t, k)} 
k r := k + 1; d r := dist(s p ) 
t r :G now + 2 fc -- 1 [Cid r , (C*i + C 2 )d r ] 
scheduled-rqsts U= {{.%>, i p ,t r ,k r )} 
\\ A request becomes pending 
pending-rqsts \= {(sp,ip,i*) | i* G H 
i r := noui + 2 kT ~ 1 Csd r 
pending-rqsts U = { (s p , i p , t r ) } 
\\ Discover any trailing missing packets 
if h 7^ Sp A max-seqno(sp) < i p then 
to-be-requested U = 

{(s p ,i) | i G TH,max-seqno(s p ) <i < i p } 
max-seqno(sp) := i p 

input process-mpktft(p) 

where type(p) = SESS 
eff None 



>0 } 



This ordering constraint ensures that the foremost packet received of any source is delivered to the 
client prior to any other packet from the particular source. Its effects are to remove the packet p 
from the rm-recv-buff buffer. 

Each output action zec-msendh(p), for p G -PsRM) hands off the packet p from SRM-REC^ to 
SRM-IPbuff/j so that it may subsequently be multicast by SRM-IPbuff^ using the underlying 
IP multicast service. The precondition of the rec-msend/j(p) action is that the host h is a member 
of the reliable multicast group and p is in the msend-buff buffer. Its effects are to remove p from 
the msend-buff buffer. 
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Time Passage The action v(t) models the passage of t time units. If the host h has crashed, 
then time is allowed to elapse. Otherwise, time is prevented from elapsing while either there are 
packets in the delivery and IP multicast transmission buffers or there are packets which have been 
declared missing but for which a request has yet to be scheduled; that is, while either the buffer 
to-be-delivered, the buffer msend-buff , or the set to-be-requested is non-empty. Furthermore, time 
is prevented from elapsing past the transmission deadline of any scheduled requests or replies. 

5.2.5 The Reporting Component — SRM-REP^ 

The SRM-REP/j timed I/O automaton specifies the reporting component of the reliable multicast 
process at each host h £ H. Figures 16, 17, and 18 present the signature, the variables, and the 
discrete transitions of SRM-REP/j, respectively. 

Variables The variable now £ R- denotes the time that has elapsed since the beginning of 
an execution of SRM-rep/j. The variable status captures the status of the host h. It evaluates 
to one of the following: idle, member, and crashed. While the host h has not crashed, we say 
that it is operational. The variable rep-deadline £ M-°U _l_ denotes the point in time at which the 
next session packet is scheduled for transmission. The variable rep- deadline is equal to _L when 
undefined. 

The variable dist-rprt(h') £ R- x R-°U _L, for each h' £ H,h' ^ h, records the transmission and 
the reception times of the most recent session packet of h! to be received by the host h. That 
is, for each h' £ H, the variable dist-rprt(h') is a tuple of the form (t S ent,t rcv d), where t se nt is 
the transmission time of the most recent session packet of h! to be received by h and t rcv d is the 
reception time of this session packet by h. If the host h has not received a session packet from the 
host b! since joining the reliable multicast group, then the variable dist-rprt{h') is undefined; that 
is, dist-rprt{h') =_L. 

The variable dist(h') £ M-° x M-°, for each h! £ H,h! ^ h, records the most up-to-date estimate of 
the distance from h to the host h! . Such distance estimates are ordered by the transmission time 
of the session packet of h that initiated their calculation; that is, a distance estimate calculated 
as a result of the transmission of a more recent session packet of h is considered more up-to- 
date. If two calculations are initiated by the same session packet of h, then the later calculation 
is considered more up-to-date. Thus, for each h! £ H, the variable dist{h') is a tuple of the 
form (trprt,tdist), where t rpr t is the transmission time of the session packet of h that initiated the 
particular distance estimate calculation and tdist is the distance estimate obtained as a result of 
the particular calculation. 

The variable max-seqno{h') £ N U _L, for each h! £ H,h' ^ h, records the latest sequence number 
of h' to have been observed by h. Recall that h may observe the transmission progress of other 
hosts by examining any type of packet. If the host h has not yet observed the transmission of any 
packets from the host h' , then the variable max-seqno{h') is undefined; that is, max-seqno{h!) =_L. 

The variable dist-buff C H contains the hosts whose distance estimates have recently been updated 
but have not yet been reported to the SRM-REC/i automaton. Similarly, the variable seqno-buff 
contains the hosts whose maximum observed sequence numbers have recently been updated but 
have not yet been reported to the SRM-rec^ automaton. 

Derived Variables The derived variable dist-rprt records the transmission and the reception 
times of the most recent session packet of all other hosts, dist-rprt is the set of tuples of the form 
{h',t s ,t r ), with (t s ,t r ) = dist-rprt(h'), for h! £ H,h' / h, and dist-rprt(h') /_l_. In effect, dist-rprt 
summarizes the information recorded by the dist-rprt(h') variables, for all h! £ H,h' ^ h. 
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Figure 16 The SRM-rep/j Automaton — Signature 



Parameters: 

h e _ff,DFLT-DIST £ 



, SESS-PERIOD £ 



Actions: 



input 

crashf, 

rm-join-ack^ 

rm-leave^ 

process-mpkt^(p), for p £ -PsRM 



time-passage 

v{t), for t e K-° 
output 

rep-msend h (p), for p £ P S rm 
Tep-dist h (h',d'), for ft' £ H,h' ^ ft,d£E^° 
rep-seqno^(s,i), for s£if, s^ft, i£N 



Figure 17 The SRM-rep/j Automaton — Variables 



Variables: 



now £ E— °, initially now = 

status £ SRM-Status, initially status = idle 

rep-deadline £ K— °U -L, initially rep-deadline =_L 

dist-rprt(h') £ R^° X E^°U _L, for all ft' e H,h' ^ ft, initially dist-rprt(h') 



dist(h') e E^° X E^°, for all ft' £ if, ft' ^ ft, initially dist(h') = (0,DFLT-DIST) 
max-seqno(h') 6lUl, for all ft' £ _ff, ft' ^ ft, initially max-seqno(h') =_L 
dist-buff C if, initially dist-buff = 
seqno-buff C if, initially seqno-buff = 



Derived Variables: 



dist-rprt = VJ h > eH ,h'^h,di S t-r P rt(h')^±{(ti ,t sent ,t rcvi ) \ dist-rprt(h') 
max-seqno = U h / eHth /j thimax _ seqno ( h /- ) ^ ± {{h' , max-seqno(h'))} 



{tsenti t rcv d)\ 



The derived variable max-seqno records the transmission progress of all other hosts, max-seqno 
is the set of tuples of the form (ft/ , max-seqno (h 1 )), for ft' & H,h' ^ ft, and max-seqno{h') t^_L. 
In effect, max-seqno summarizes the information recorded by the max-seqno{h') variables, for all 
ft' eH,ti ^h. 

Input Actions As in the case of the SRM-IPbuff^ and SRM-REC/i automata, the input action 
crash/j models the crashing of the host ft. The effects of the action crash^ are to set the status 
variable to crashed, denoting that the host ft. has crashed. Once the host ft, has crashed, none of the 
input actions affect the state of SRM-rep^, none of the internal and output actions are enabled, 
and time is not restricted from elapsing. 

The input action rm-join-ack/j informs the SRM-REP/j automaton that the host ft has joined the 
reliable multicast group. If the host ft, is operational, then the rm-join-ack/j action records the 
fact that the host h has joined the reliable multicast group by setting the variable status to member. 
Moreover, it schedules the transmission of a session packet no later than SESS-PERIDD time units 
in the future by setting the rep-deadline variable to a value that is uniformly chosen within the 
interval now + (0, SESS-PERIOD]. 

The input action rm-leave/j informs the SRM-REP/j automaton that the host ft has left the reliable 
multicast group. If the host h is operational, then the action rm-leave^ reinitializes all the variables 
of SRM-REP/j except the variable now. 

The input action process-mpkt/j(p) processes the packet p. Recall that the functionality of the 
reporting component includes tracking the transmission progress of all sources and estimating the 
distance estimates from the host ft to all other reliable multicast group members. Provided the 
host ft, is a member of the reliable multicast group, the packet p is processed according to its packet 
type. 

We first consider the case where p is a SESS packet. Letting s p denote the sender of p, SRM-REP/j 
checks whether p is either the first or the most recent session packet of s p to be received by ft. If 
so, the variable dist-rprt{s p ) is set to (time-sent(p), now) to record the reception of a more recent 
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session packet from the host s p . 

Then, if p is distance reporting for h and the session packet that initiated this report is at least 
as recent as the session packet that initiated the calculation of the current distance estimate to s p , 
then a new distance estimate to s p is calculated. If the calculation of the current distance estimate 
was initiated by the same session packet as the new calculation, then the new distance estimate is 
considered more recent since the latency observed from s p to h is more recent. SRM-rep/j records 
the new distance estimate to s p by reassigning the tuple dist(s p ). Furthermore, s p is added to 
the dist-buff buffer so that SRM-rep^ may subsequently report to SRM-rec^ the new distance 
estimate to s p . 

Finally, SRM-REP^ goes through the transmission state reports contained in p to determine 
whether s p has observed further progress in the transmission of any of the sources; that is, 
whether s p has observed the transmission of later ADU packets by any of the sources. For 
each state report indicating further transmission progress, the corresponding max-seqno variable 
is updated. Moreover, the respective source is added to the seqno-buff buffer so that SRM-rep/j 
may subsequently report this transmission progress of the respective source to SRM-REC/j. 

We now consider the case where p is either a DATA, RQST, or REPL packet. Let s p and i p denote the 
source and sequence number of the ADU packet contained in p. If the packet p is a DATA packet and 
is the first data packet to be received from s p , that is, if max-seqno{s p ) =_L, then max-seqno{s p ) is 
set to i p . If the packet p is either a DATA, RQST, or REPL packet and i p is greater than max-seqno(s p ), 
then max-seqno(s p ) is set to i p . 

Output Actions The output action rep-msend/^p), for p G -PsRMj hands off the packet p to 
SRM-IPbuff/j so that it may subsequently be multicast by SRM-IPbuff^ using the underlying 
IP multicast service. The precondition of the rep-msend/j(j>) action is that the host h is a member 
of the reliable multicast group, the variable now equals the session packet deadline rep-deadline, 
and the packet p corresponds to a session packet pertaining to the current state of the SRM-rep^ 
automaton. The operation comp-sess-pkt(h, now , dist-rprt, seqno) composes the session packet p. 
rep-msend^(j)) schedules the transmission of the next session packet by setting the rep-deadline to 
SESS-PERIOD time units in the future. The parameter SESS-PERIOD of the SRM-REP/j automaton 
specifies the period with which the host h transmits session packets. 

The output action rep-dist/ l (/i / , d') reports to SRM-rec^ the most recent distance estimate d' to 
the host hi . The action rep-dist^(/i', d') is enabled when the host h is a member of the reliable 
multicast group, the distance estimate to h' has recently been updated but has yet to be reported 
to SRM-REC/!, that is, h! G dist-buff , and the distance d! is the most recent distance estimate to 
h', that is, it is the distance component of the tuple dist{h'). The effects of rep-dist^/i', d 1 ) are 
to remove the host h' from the dist-buff buffer. 

The output action rep-seqno/j(s,i) reports to SRM-REC/i the most recent maximum sequence 
number observed for the source s. The action rep-seqno^s,^) is enabled when the host h is 
a member of the reliable multicast group, the maximum sequence number for the source s has 
recently been updated but has yet to be reported to SRM-REC/j, that is, s £ seqno-buff , and i is 
the most recently recorded maximum sequence number for the source s, that is, i = max-seqno(s). 
The effects of rep-seqno/ l (s, i) are to remove the source s from the seqno-buff buffer. 

Time Passage The time passage action v{t) models the passage of t time units of time. If the 
host h has crashed, then time is allowed to elapse. Otherwise, time is allowed to elapse neither 
past the transmission of the next session packet, rep-deadline, nor while there are pending reports; 
that is, the reporting buffers dist-buff and seqno-buff are non-empty. 
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Figure 18 The SRM-rep/j Automaton — Discrete Transitions 



input crashft 

eff status := crashed 

input rm-join-ack|j 

eff if status ^ crashed then 
status := member 
rep-deadline :£ now + (0, SESS-PERIOD] 

input rm-leave^ 

eff if status ^ crashed then 

Reinitialize all variables except now. 

input process-mpktjj(p) 

where type(p) = SESS 

eff if status = member then 

s v := sender(p) 



1 then 

(time-sent(p), now) 



if dist-rprt(sp) 
dist-rprt(sp) 

else 

(t S ent,t rcvd ) ■= dist-rprt(sp) 
if t sen t < time-sent(p) then 

dist-rprt(sp) := (time- sent(p), now) 

if h £ dist-rprt? (p) then 

(tsent, t delayed) ■= dist-Tprt(p,h) 
(trprt,tdist) ■= dist(Sp) 
if t r p r t < t S ent then 



*',, 



(nOW - tdelayed ~ tsent)/2 



dist(Sp) ■= (tsent, t' Mst ) 

dist-buff U= {s p } 
foreach (h",i") 6 seqno-rprts(p) do: 
if max-seqno(h") < i" then 
max-seqno(h") := i" 
seqno-buff U= {h"} 



input process-mpkt(,(p) 

where type(p) ^ SESS 
eff if status = member then 
(s p ,ip) := id(p) 
if raax-seqno(sp) =_L 

Atype(p) = DATA 
then 

max-seqno(sp) := i p 
if raax-seqno(sp) ^_L 

Amax-seqno(sp) < i v 
then 

max-seqno(sp) := i p 

output rep-msendd(p) 

pre status = member A now = rep-deadline 

Ap = comp-sess-pkt(h, now, dist-rprt, seqno) 
eff rep-deadline := now + SESS-PERIOD 

output rep-dist^(/i', d') 

choose t' e R^° 

pre status = member A h! £ dist-buff A (t 1 ,d') = dist(h') 

eff dist-buff \={ti} 

output rep-seqnOft(s, j) 

pre status = member As£ seqno-buff A i = max-seqno(s) 
eff seqno-buff \= {s} 

time-passage v(i) 

pre status = crashed 

V(dist-buff = A seqno-buff = 

A(rep- deadline =_L \Jnow + t< rep-deadline)) 
eff now := noiu + £ 



Figure 19 The IPmcast Automaton — Signature 



Actions: 



input 

crashf,, for h E H 
mjoin^, for h £ H 
mleave/j, for h £ H 

msend h (p), for h e -ff,p £ -Pipmcast-Client 
internal 

mgrbg-coll(pfct), for pfci S Pipmcast 



output 

mjoin-ackft, for h S H 
mleave-ack^, for h £ H 
mrecv h (p), for h e H,p e -Pipmcast-Client 
mdrop(p, H d ), for p g Pipmcast-Client, H d C H 
time-passage 
u(t), for t e M-° 



5.2.6 The IP Multicast Component — IPmcast 

In this section, we give an abstract specification of the IP multicast service; the IP primitive that 
provides best-effort point to multi-point communication. In order to simplify the presentation, we 
assume that only a single multicast group exists. Furthermore, we abstract away the specifics of 
the underlying protocols that collectively provide the IP multicast service. In our model, hosts 
join, leave, and send data packets to the IP multicast group by issuing join and leave requests and 
by multicasting data packets, respectively. Following the initial service model of IP multicast, a 
host need not be a member of the IP multicast group to send messages addressed to the group. 
However, a host must join the IP multicast group in order to receive packets addressed to the IP 
multicast group. The IP multicast service guarantees that only hosts who are members of the IP 
multicast group actually receive IP multicast packets. 

Figures 19 and 20 present the signature, variables, and discrete transitions of the the IPmcast 
timed I/O automaton; an abstract specification of the IP multicast service. 
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Variables The variable now £ R- denotes the time that has elapsed since the beginning of 
an execution of IPmcast. Each variable status{h) G IPmcast- Status, for h & H, denotes the IP 
multicast membership status of the host h. The value idle indicates that h is idle with respect to 
the IP multicast group; that is, it is neither a member, nor in the process of joining or leaving the 
IP multicast group. The value joining indicates that h is in the process of joining the IP multicast 
group; that is, the client has issued a request to join the IP multicast group and is awaiting an 
acknowledgment of this join request from the IP multicast service. The value leaving indicates 
that h is in the process of leaving the IP multicast group; that is, the client has issued a request to 
leave the IP multicast group and is awaiting an acknowledgment of this leave request from the IP 
multicast service. The value member indicates that h is a member of the IP multicast group. The 
value crashed indicates that h has crashed. When the host h has crashed, none of the input actions 
pertaining to h affect the state of IPmcast and none of the locally controlled actions pertaining 
to h are enabled. While the host h has not crashed, we say that it is operational. 

The variable mpkts C Pipmcast is comprised of the tuples that track the transmission progress of 
the packets transmitted during the particular execution of IPmcast. Of course, the size of the 
intended delivery set of each transmission progress tuple decreases monotonically as the hosts it 
consists of may leave the IP multicast group or crash. 

Derived Variables The derived variable up C H is the set of hosts that are operational; that is, 
the set of hosts that have not yet crashed. The derived variable idle C H is a set of hosts that are 
idle with respect to the IP multicast group. The derived variable joining C H is a set of hosts that 
are in the process of joining the IP multicast group. The derived variable leaving C H is a set of 
hosts that are in the process of leaving the IP multicast group. The derived variable members C H 
is a set of hosts that are members of the IP multicast group. 

Input Actions Each input action crash^, for h G H, models the crashing of the host h. The 
crash/j action records the fact that h has crashed by setting the status (h) variable to crashed. 
Moreover, the crash^ action removes the host h from the intended delivery set of any packet in 
the set of pending packets mpkts. 

The input action mjoin/j models the request of the client at h to join the IP multicast group. The 
mjoin/j action is effective only while the host is idle with respect to the IP multicast group. When 
effective, the mjoin^ action sets the status{h) variable to joining so as to record that the host h 
has initiated the process of joining the IP multicast group. If the client is either a member of or in 
the process of joining the IP multicast group, then the mjoin/j action is superfluous. If the client 
is already in the process of leaving the group, then the mjoin^ action is discarded so as to allow 
the process of leaving the IP multicast group to complete. 

The input action mleave^ models the request of the client at h to leave the IP multicast group. The 
mleave/j action is effective only while the host is either a member of or in the process of joining the 
IP multicast group. When effective, the mleave/t action sets the status{h) variable to leaving so 
as to record that the host h has initiated the process of leaving the IP multicast group. Moreover, 
the mleave/j action removes the host h from the intended delivery set of any packet in the set of 
pending packets mpkts. Leave requests overrule join requests; that is, when a mleave^ action is 
performed while the host h is in the process of joining the IP multicast group, its effects are to 
abort the process of joining and to initiate the process of leaving the IP multicast group. If the 
client is either idle with respect to or already in the process of leaving the IP multicast group, then 
the mleave/j action is superfluous. 

The input action msend^(p) models the transmission by the client at h of the packet p using the IP 
multicast service. The msend^(p) action is effective only if the client is operational; recall that a 
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Figure 20 The IPMCAST automaton 



Variables: 

now £ R- 



initially now = 



status(h) £ IPmcast-Status , for all h £ H, 
initially status(h) = idle, for all ft £ J/ 
mpkts C Pipmcasti initially mpkts = 



Variables and Discrete Transitions 

Derived Variables: 

up = {h £ H\status(h) ^ crashed} 
idle = {ft £ P|stat«,s(ft) = idle} 
joining = {ft £ P|stai«s(ft) = joining} 
leaving = {ft £ H\status(h) = leaving} 
members = {ft £ P|sta<M,s(ft) = member} 



Discrete Transitions: 



input crashft 

eff if h £ up then 

status(h) := crashed 
fbreach pkt £ mpkts do: 
intended(pkt)\ = {ft} 

input mjoinf, 

eff if ft £ idle then 

status(h) := joining 

input mleave^ 

eff if ft £ joining U members then 
status(h) := leaving 
foreach pkt £ mpkts do: 
intended(pkt)\ = {ft} 

input msend^(p) 

eff if ft £ up then 

mpkts U= {(p, members, {ft}, 0}} 

internal mgrbg-coll(p) 

choose pkt £ Pipmcast 

pre pkt £ mpkts A p = strip (pkt) 

Aintended(pkt) C (completed(pkt) U dropped(pki)) 
eff mpkts \= {pfct} 



output mjoin-ackj, 

pre h £ joining 

eff status(h) := member 

output mleave-ack/j 

pre /i £ leaving 

eff status(h) := idle 

output mrecv^(p) 

choose pfct £ Ppmcast 

pre ft £ members\dropped(pkt) 

Apkt £ mpkts A p = strip(pkt) 
eff completed(pkt) U= {ft} 

output mdrop(p, i/^j) 

choose pfet £ Pipmcast 

pre pfct £ mpkts A p = strip(pkt) 

APj C members\(completed(pkt) U dropped(pkt)) 
eff dropped(pkt) U= P^d 

time-passage i>(4) 

pre None 

eff now := noiu + t 



client need not be a member of the IP multicast group to multicast packets using the IP multicast 
service. The effects of the msend^(p) action are to add a tuple corresponding to the transmission 
of the packet p to mpkts. This tuple is initialized as follows: its intended delivery set is initialized 
to the current members of the IP multicast group, its completed delivery set is initialized to the 
host h as if the packet p has already been delivered to the client at the host h, and its dropped set 
is initialized to the empty set. 

Output Actions The output action mjoin-ack/j acknowledges the join request of the client at h. 
The mjoin-ack/j action is enabled only when the host is in the process of joining the IP multicast 
group. Its effects are to set the status(h) variable to member so as to indicate that the client at h 
has become a member of the IP multicast group. 

The output action mleave-ack/j acknowledges the leave request of the client at h. The action 
mleave-ackft is enabled when the host is in the process of leaving the IP multicast group. Its 
effects are to set the status (h) variable to idle so as to indicate that the client at h has become 
idle with respect to the IP multicast group. 

The output action mrecv/j(p) models the delivery of the packet p to the client at h. The mrecv/j(p) 
action is enabled when p is a pending packet, the host h is both a member of the IP multicast 
group and absent from the dropped set of the transmission progress tuple pkt in mpkts pertaining 
to p. The effects of the mrecv/j(p) action are to add the host h to the completed delivery set of p's 
transmission progress tuple pkt. 

The output action mdrop(p, Hd), for any p £ -Pipmcast-Client and Ha C H, models the drop of the 
packet p on a link of the underlying IP multicast tree whose descendants are the hosts in the set Hd- 
The mdrop(p, Hd) action is enabled when p is a pending packet and Hd is comprised of members 



39 



of the IP multicast group for which the delivery of the packet p has neither completed, nor failed 
due to prior packet drops. The mdrop(p, Hd) action adds the hosts comprising H^ to the dropped 
set of the transmission progress tuple pkt in mpkts pertaining to p. 

Internal Actions The internal action mgrbg-coll(p) models the garbage collection of the packet 
p. A packet p may only be garbage collected after all the hosts comprising its intended delivery set 
either receive the packet or suffer a loss that prevents the packet from being forwarded to them. The 
effects of the mgrbg-coll(p) action are to remove the transmission progress tuple pkt pertaining 
to p from the set mpkts. 

Time Passage The time-passage action v(t), for t E R- , models the passage of t time units. 
The action u{t) is enabled at any point in time and increments the variable now by t time units. 

Properties 

Lemma 5.1 (Transmission Integrity) For any timed trace (3 of IPmcast, it is the case that 
any mrecv/j(p) action, for h G H, in (3 is preceded in (3 by a msend^'(p) action, for some hi G H. 

Proof: Let a be any timed execution of IPmcast such that (3 = ttrace(a). Consider a particular 
occurrence of an action mzecvh(p) in a, for h G H. Let (u,mrecvh(p),u') G trans (IPmcast) be 
the discrete transition in a corresponding to the particular occurrence of the action mrecv/,(p) in 
a. From the precondition of mrecvh(p), it is the case that there is a packet pkt G u. mpkts, such 
that p = strip{pkt). However, such a packet may be added to mpkts only by the occurrence of an 
action msend/j/(p), for some h G H. It follows that the occurrence of any action mrecv^(j)) in a is 
preceded by the occurrence of an action rm-send/j/(p), for some h' G H. H 



5.3 Constraints on RMI's Parameters 

Figure 21 illustrates the behavior of RMI's packet loss recovery scheme. In particular, for any 
k G N + , it depicts the transmission of a A;-th round request by h, the scheduling of a k+ 1-st round 
request by h, and the scheduling of a reply to h's k-th round request by a host hi . th is the point in 
time at which h schedules its k-th round request, t' h is the point in time for which h schedules its 
k-th round request, t^ is the point in time h! receives h's k-th round request, and t' h , is the point 
in time for which h' schedules its reply to h's k-th round request. dh s is half of h's RTT estimate 
to the source s of the packet being recovered, dhh' and dh'h are the actual transmission latencies 
between h and hi ' , and dh'h is half of the RTT estimate of h' to h. 

RMI must ensure that the back-off abstinence intervals do not overlap with request intervals. 
From Figure 21, this requirement is enforced by imposing the parameter constraint C3 < C\. 
Moreover, RMI must ensure that requestors schedule their retransmission requests such that they 
succeed the reception of replies pertaining to prior recovery rounds. Prematurely transmitting 
requests would result in wasteful recovery traffic. From Figure 21, this requirement corresponds 
to the satisfaction of the inequalities dhh' + (-^l + D^dh'h + dh'h < 2 fc Cid/j S , for k G N + . 
Presuming that inter-host transmission latencies are fixed and symmetric and that RMI's inter- 
host RTT estimates are accurate, these inequalities are satisfied if D\ + D2 + 2 < 2C\. Finally, 
RMI must also ensure that a particular round's requests are not discarded by potential repliers 
because they are received during the repliers' abstinence periods pertaining to the prior recovery 
round. From Figure 21, this requirement corresponds to the satisfaction of the inequalities 
dhh' + (-^1 + D2) dh'h + D^dh'h < 2 k Cidhs + dhh' , for k G N + . Presuming that inter-host transmission 
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Figure 21 Timing Diagram of SRM's Loss Recovery Scheme 
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latencies are fixed and symmetric and that RMI's inter-host RTT estimates are accurate, these 
inequalities are satisfied if D\ + D 2 + D3 < 2C\. 

The following assumption summarizes the constraints on RMI's parameters. 

Assumption 5.1 RM/ 's parameters C\ , C2, C3, D\, D 2 , and D% satisfy the following constraints: 
C 3 < Ci, Di + D 2 + 2 < 2Ci, and Di + L> 2 + £>3 < 2Ci. 

To our knowledge, these constraints on SRM's request/reply scheduling parameters, or even similar 
ones, have not been expressed to date. In fact, most analyses and simulations presume that no 
recovery packets are lost; that is, they presume that the initial recovery round is always successful. 
Our timing analysis illustrates that if the parameters are chosen arbitrarily it is possible to cause 
either superfluous requests and replies or the failure of a recovery round due to replier abstinence. 
Although in practice, due to inaccurate inter-host RTT estimates and varying and non-symmetric 
inter-host transmission latencies, superfluous traffic and/or recovery round failure may indeed be 
unavoidable, it is still important to realize their tie to SRM's parameters. 

5.4 Safety and Liveness Analysis of RMI 

We begin this section by defining some history variables that facilitate the proof that RMI 
implements RMS. We then define a relation between the states of RMI and RMS and prove that 
this relation is indeed a timed forward simulation relation. This proof establishes that RMI is safe 
with respect to RMS; that is, it may only deliver appropriate packets to each member of the reliable 
multicast group. We conclude by showing that, under certain constraints, RMI is live with respect 
to RMS; that is, under the given constraints, RMI guarantees the timely delivery of the appropriate 
packets to the appropriate members of the reliable multicast group, as formalized in Section 4. 

5.4.1 History Variables 

Figure 22 introduces history and derived history variables for the automata SRM-REC/j and SRM, 
respectively. 

The history variables of the SRM-rec^ automata, for h G H, are the variables trans-time (p), for 
all p G -Prm-ClientM, expected(h!) CiJxN, for b! € H, and delivered{h!) C H x N, for h! G H. 
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Figure 22 History and Derived History Variables 

History Variables of SRM-REC^: 

trans-time(p) £ M— °U _L, for all p £ ^"rm-Client [h] , initially trans-time(p) =_L, for all p £ -Prm-Client[ 
expected(h') CflxN, for all h' £ H, initially expected(h') = 0, for all h' £ H 
delivered(h') CiJxN, for all h! £ H, initially delivered(h') = 0, for all h' e H 



Derived History Variables of SRM: 



sent-pkts = {p £ -Prm-Cliekt I trans-time(p) y^-L} 

sent-pkts? = {{s,i) £HxN|3pg sent-pkts : id(p) = {s,i}} 

intended(p) = {h £ H \ id(p) £ SRM-REC^. expected(source(p))}, for all p £ Prm-Client 

completed(p) = {h £ H \ id(p) £ SRM-RECh.deK«ered(so«rce(p))}, for all p £ -Prm-Client 

active-pkts = {p £ -Prm-Client I P £ sent-pkts A intended(p) n completed(p) 7^ 0} 

Figure 23 SRM-RECh History Variable Assignments 

input crash/j input rm-sendf l (p) 

eff ... eff ... 

foreach h! a H do: \\ Record foremost DATA packet 

expected(h') := if min-seqno(s p ) =_!_ then 

delivered(h') := 



input rm-leavejj 



expected(h) := suffix(p) 



eff if siaius 7^ crashed then if max _ segn0 ( Sp ) =J_ 

Reinitialize all variables except now. w^ _ ma x-seano(s ) + 1 

foreach h' £ H do: then 

expected(h') := 

deaveredyn ) := [il trans-time(p) := now; 

delivered(h)\J= {id(p)} 
output rm-recvh^) 

pre ... 
eff ... 

{s p ,ip) := id(p) 

if expected(sp) = then 

expected(sp) := suffix(p) 
delivered(sp)\J= {id(p)} 

Each trans-time(p) variable, for p e -Prm-Client [^] , records the transmission time of the packet p 
by the host h. Each expected{h') variable , for h! G i^, is comprised of the identifiers of the packets 
from h! that the host h expects to deliver since it last joined the reliable multicast group. Each 
delivered(h') variable, for h! G H, is comprised of the identifiers of the packets from h' that the 
host h has already delivered since it last joined the reliable multicast group. Figure 23 specifies 
how the actions of SRM-rec^ affect these history variables. 

The derived history variables of SRM are the set of identifiers of all packets sent since the beginning 
of the execution, sent-pkts, the intended delivery set of p, intended(p), for all p £ -Prm-Client> the 
completed delivery set of p, completed (p), for all p G -Prm-Client, and the set of active packets, 
active-pkts. 

5.4.2 Preliminary Invariants and Lemmas 

In this section, we present several preliminary invariants and lemmas that are later used in the safety 
and liveness proofs of the RM/ automaton. We begin by presenting several invariants pertaining 
to the SRM-REC/i automaton, for h G H. 

Invariant 5.1 For h,h' G H and any reachable state u of SRM-REC/j, if u. status ^ member, then 
u. expected {h') = and u. delivered (h') = 0. 

Proof: Let a be any finite timed execution of SRM-REC/j leading to u. The proof is by induction 
on the length n G N of a. For the base case, consider the finite timed execution a of length 0; that is, 
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a = u. Since u is a start state of SRM-REC/j, it follows that u. status = idle, u. expected {hf) = 0, 
and u. delivered (h!) = 0. Thus, the invariant assertion is satisfied in u. For the inductive step, 
consider a timed execution a of length k + 1, for k £ N. Let a^ be the prefix of a containing the 
first k steps of a and ut = a^.lstate. For the step from Uk to u we consider only the actions that 
affect the variables status, expected(h'), and delivered(h'). 

□ crash/j: the action crash/j sets the variable status to crashed and the variables expected{h') 
and delivered{h') to 0. Thus, the invariant assertion is satisfied in u. 

□ rm-join-ack^: if Uk-status ^ crashed, then the action rm-join-ack/i sets the variable status 
to member. Thus, the invariant assertion is satisfied in u. Otherwise, if u^. status = crashed, 
then the action rm-join-ack/j does not affect the state of SRM-REC/j. Thus, the induction 
hypothesis implies that the invariant assertion is satisfied in u. 

□ rm-leave^: if ut-status ^ crashed, then the action mi-leave^ sets the variable status to idle 
and the expected{h!) and delivered{h') variables to 0. Thus, the invariant assertion is satisfied 
in u. Otherwise, if Uk-status = crashed, then the action rm-leave^ does not affect the state of 
SRM-recv Thus, the induction hypothesis implies that the invariant assertion is satisfied in 

u. 

O rm-send/j(p), for p £ -Prm-Client : first, consider the case where ^{uk-status = member A h = 
source{p)). In this case, rm-send^(p) does not affect the state of SRM-rec^. Thus, the induction 
hypothesis implies that the invariant assertion holds in u. 

Second, consider the case where Uk- status = member and h = source{p). Since u^-status = 
member and the rm-send/j(j>) does not affect the status variable, it follows that u. status = member. 
Thus, the invariant assertion is satisfied in u. 

□ rm-recv/j(p), for p G -Prm-Client : the precondition of the action rm-recv^(p) implies that 
Uk- status = member. Since the rm-recv/^p) does not affect the status variable, it follows that 
u. status = member. Thus, the invariant assertion is satisfied in u. 



Invariant 5.2 For h,h' G H and any reachable state u of SRM-REC^ ; if u.min-seqno{h') t^_L, 
then u.min-seqno{h') < u.max-seqno{h') . 

Proof: Let a be any finite timed execution of SRM-REC/j leading to u. The proof is by induction 
on the length n £ N of a. For the base case, consider the finite timed execution a of length 0; that 
is, a = u. Since u is a start state of SRM-rec^, it follows that u.min-seqno{h) =_L. Thus, the 
invariant assertion is satisfied in u. For the inductive step, consider a timed execution a of length 
k + 1, for k £ N. Let a^ be the prefix of a containing the first k steps of a and u^ = a^-lstate. 
For the step from Uk to u we consider only the actions that affect the variables min-seqno(h') and 
max-seqno{h') . 

□ rm-leave^: if Uk-status ^ crashed, then the action rm-leave/i sets the variables min-seqno{h') 
and max-seqno{h') to _l_. Thus, the induction assertion is satisfied in u. Otherwise, if 
Uk- status = crashed, then the action rm-leave^ does not affect the state of SRM-REC/j. Thus, 
the induction hypothesis implies that the invariant assertion is satisfied in u. 

O rm-send/j(p), for p £ -Prm-Client, such that source(p) = h': letting (s p ,i p ) = id(p), we analyze 
the effects of rm-sendft(p) by cases. First, consider the case where -^{ut-status = member A h = 
s p ). In this case, rm-send^(p) does not affect the variables min-seqno{h') and max-seqno(h'). 
Thus, the induction hypothesis implies that the invariant assertion is satisfied in u. 

Second, consider the case where Uk-status = member and h = s p . Since s p = h' , it follows 
that h = h! = s p . If p is the foremost packet from s p , that is, Uk-min-seqno(s p ) =_L, then 
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the rm-send/j(p) action sets both min-seqno{h') and max-seqno{h!) to i p . It follows that 
u.min-seqno{h') < u.max-seqno{h') . Thus, the invariant assertion is satisfied in u. 

lip is the next packet from s p , then the action rm-send^(p) does not affect min-seqno{h') and 
sets max-seqno{h') to i p ; that is, u.min-seqno{h!) = Uk-min-seqno{h') and u.max-seqno{h!) = 
Uk-max-seqno(h') + 1. Since i p = Uk.max-seqno(h') + 1, it follows that Uk.max-seqno(h') < 
u.max-seqno(h') . The induction hypothesis implies that Uk-min-seqno(h') < Uk.max-seqno(h'). 
Thus, since it follows that u.min-seqno{h') < u.max-seqno(h'), as needed. 

If p is neither the foremost nor the next packet from s p , then the action rm-send/^p) does not 
affect the variables min-seqno{h') and max-seqno{h'). Thus, the induction hypothesis implies 
that the invariant assertion holds in u. 

□ rep-seqno^(s, i), for s G H and i £ N, such that s = h': first, consider the case where 
^{u^. status = member A Uk-min-seqno(s) j^A. Auk-max-seqno(s) < i). In this case, the action 
rep-seqno^(s, i) does not affect the state of SRM-REC/i. Thus, the induction hypothesis implies 
that the invariant assertion holds in u. 

Second, consider the case where Uk-status = member A Uk-min-seqno(s) /_l_ Auk-max-seqno(s) < 
i. In this case, rep-seqnoft(s, i) does not affect min-seqno(h') and sets max-seqno(h') to i; that is, 
u.min-seqno(h') = Uk-min-seqno(h') and u.max-seqno(h') = i. Since Uk.max-seqno(h') < i and 
u.max-seqno{h') = i, it follows that Uk-max-seqno{h') < u.max-seqno{h') . From the induction 
hypothesis, it is the case that Uk.min-seqno{h') < u^.max-seqno{h!\ Thus, it follows that 
u.min-seqno(h') < u.max-seqno{h') , as needed. 

□ process-mpkt^(p), for p 6 -Psrm> such that source(p) = h': letting (s p ,i p ) = id(p), we analyze 
the effects of process-mpkt^(p) by cases. First, if u^. status ^ member, then process-mpkt/j(p) 
does not affect the state of SRM-rec^. Thus, the induction hypothesis implies that the invariant 
assertion holds in u. 

Second, consider the case where u^-status = member. If p is the foremost packet from s p , that is, 
type(p) = DATA, h / s p , and Uk-min-seqno(s p ) =_L, then the action process-mpkt/^p) sets both 
min-seqno(h') and max-seqno(h') to i p . It follows that u.min-seqno(h') < u.max-seqno(h'), as 
needed. 

If p is not the foremost packet from s p but is proper, that is, Uk-min-seqno(s p ) t^_L and 
Uk.min-seqno{s p ) < i p , then the action process-mpkt^(p) does not affect min-seqno{h') and 
may increase the value of max-seqno(h'). It follows that u.min-seqno(h') = Uk-min-seqno(h') 
and Uk-max-seqno(h') < u.max-seqno(h'). From the induction hypothesis, it is the case that 
Uk.min-seqno{h!) < Uk-max-seqno(h') . Thus, it follows that u.min-seqno{h') < u.max-seqno(h') , 
as needed. 

Otherwise, if p is neither the foremost nor a proper packet from s p , then process-mpkt/j(p) 
does not affect the variables min-seqno{h') and max-seqno(h'). Thus, the induction hypothesis 
implies that the invariant assertion holds in u. 



Invariant 5.3 For h,h' G H and any reachable state u of SRM-REC/i, if u. status = member, then 
it is the case that u.archived-pkts?{h') = u. delivered {h') U u. to-be-delivered? {h') . 

Proof: Let a be any finite timed execution of SRM-REC/j leading to u. The proof is by induction 
on the length n £ N of a. For the base case, consider the finite timed execution a of length 0; 
that is, a = u. Since u is a start state of SRM-rec^, it follows that u. status = idle. Thus, the 
invariant assertion holds in u. For the inductive step, consider a timed execution a of length k + 1, 
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for k G N. Let o^ be the prefix of a containing the first k steps of a and Uk = ctk-lstate. For the 
step from Uk to u, we consider only the actions that affect the variables archived-pkts , delivered(h'), 
and to-be-delivered? {h'). 

□ crash^: the action crash/j sets the variable status to crashed. Thus, the invariant assertion 
holds in u. 

d rm-leave^: if Uk-status 7^ crashed, then the action rm-leave/j sets the variable status to idle. 
Thus, the invariant assertion holds in u. 

Otherwise, if Uk- status = crashed, then the action mi-leave^ does not affect the state of 
SRM-RECV It follows that u. status = crashed. Thus, the invariant assertion holds in u. 

□ rm-send/j(p), for p G -Prm-Client, such that source(p) = h': letting (s p ,i p ) = id(p), we analyze 
the effects of rm-send/j(p) by cases. First, if -^{uk-status = member Ah = s p ), then rm-send/j(p) 
does not affect the state of SRM-recv Thus, the induction hypothesis implies that the invariant 
assertion holds in u. 

Second, consider the case where Uk-status = member A h = s p . If p is either the foremost or the 
next packet from h, then rm-send/j(p) archives p and records it as having been delivered. Thus, 
the induction hypothesis and the fact that the packet p is both archived and recorded as having 
been delivered imply that the invariant assertion holds in u. 

Otherwise, if p is neither the foremost nor the next packet from h, then the action rm-send/j(p) 
does not affect the variables archived-pkts? {h!) , delivered (h 1 ), and to-be- delivered? {hi) . Thus, 
the induction hypothesis implies that the invariant assertion is satisfied in u. 

O rm-recv/j(p), for p G -Prm-Client) such that source{p) = h! : rm-send^(p) removes id{p) from 
to-be-delivered? {h') and adds it to delivered (h 1 ). Thus, the induction hypothesis implies that 
the invariant assertion holds in u. 

□ process-mpkt/j(p), for p 6 -PsRM; such that source{p) = h': letting (s p ,i p ) = id(p), we analyze 
the effects of process-mpkt^(p) by cases. First, if Uk-status 7^ member, then rm-send^(p) does 
not affect the state of SRM-REC/j. Thus, the induction hypothesis implies that the invariant 
assertion holds in u. 

Second, consider the case where u^-status = member. We begin by considering the case 
where type{p) G {DATA, REPL}. In this case, consider the case where p is either the fore- 
most or a proper packet from s p and h 7^ s p . In this case, if p has not already been 
archived, then process-mpkt^d)) adds id{p) to both archived-pkts? {h') and to-be- delivered? \h'). 
This fact and the induction hypothesis imply that the invariant assertion is satisfied in 
u. Otherwise, if p has already been archived, then process-mpkt/j(p) adds id(p) to 
to-be-delivered? (h r ) only. Since id(p) G Uk- archived-pkts? (h') and process-mpkt/j(p) does not af- 
fect archived-pkts , it follows that u. archived-pkts? {h') = Uk-archived-pkts? {h') and, thus, id{p) G 
u. archived-pkts? {h!\ Moreover, since process-mpkt^d)) adds id(p) to to-be-delivered? (h'), it 
follows that u. to-be- delivered? {h') = Uk .to-be-delivered? {h') U {id(p)}. From the induction hy- 
pothesis, it is the case that Uk- archived-pkts? (h') = Uk-delivered(h') U Uk-to-be- delivered? \h') . 
Since process-mpkt^(p) does not affect delivered(h'), it follows that the invariant assertion 
holds in u. 

Otherwise, if either p is neither the foremost nor a proper packet from s p or h = s p , 
process-mpkt^(p) does not affect archived-pkts? (h 1 ), delivered (h 1 ), and to-be- delivered? \h'). 
Thus, the induction hypothesis implies that the invariant assertion is satisfied in u. 

If type{p) G {RQST, SESS}, then the action process-mpkt^(j)) does not affect archived-pkts? '(h'), 
delivered(h'), and to-be-delivered? (h 1 ) . Thus, the induction hypothesis implies that the invariant 
assertion is satisfied in u. 
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Invariant 5.4 For h,h' £ H and any reachable state u of SRM-rec^, it is the case that 
u.archived-pkts? {h 1 ) C u.window?{h'). 

Proof: Let a be any finite timed execution of SRM-REC/j leading to u. The proof is by induction 
on the length n £ N of a. For the base case, consider the finite timed execution a of length 0; 
that is, a = u. Since u is a start state of SRM-REC/j, it is the case that u.min-seqno{h') =_L and 
u.archived-pkts? \h') = 0. Since u.min-seqno{h') =_L, it is the case that u. window? {h') = 0. Thus, 
it follows that u.archived-pkts? (h 1 ) C u. window? (h 1 ), as needed. For the inductive step, consider a 
timed execution a of length k + 1, for k £ N. Let ctk be the prefix of a containing the first k steps 
of a and Uk = ctk-lstate. For the step from ut to u we consider only the actions that affect the 
variables min-seqno{h'), max-seqno{h'), and archived-pkts?{h'). 

□ rm-leave^: if ut-status ^ crashed, then the action rm-leave/j reinitializes all the variables 
of SRM-REC/j except the variable now. Thus, it is the case that u.min-seqno{h') =_L and 
u.archived-pkts? (h r ) = 0. Since u.min-seqno(h') =_L, it is the case that u.window?(h') = 0. 
Thus, it follows that u.archived-pkts? {h') C u.window?(h'), as needed. 

Otherwise, if ut- status = crashed, then the action rm-leave^ does not affect the state of 
SRM-REC/t. Thus, the induction hypothesis implies that the invariant assertion holds in u. 

□ rm-send/j(p), for p £ -Prm-Client, such that source(p) = h': letting (s p ,i p ) = id(p), we analyze 
the effects of mi-send^d)) by cases. First, consider the case where -^{ut-status = member Ah = 
s p ). In this case, zm-sendf l (p) does not affect the variables min-seqno{h') and max-seqno(h'). 
Thus, the induction hypothesis implies that the invariant assertion is satisfied in u. 

Second, consider the case where ut-status = member and h = s p . Since s p = h' , it follows 
that h = h! = s p . If p is the foremost packet from s p , that is, Uk-min-seqno(s p ) =_L, then 
the rm-send^(p) action sets both min-seqno{s p ) and max-seqno{s p ) to i p and adds the element 
(p,now) to archived-pkts. Since Uk.min-seqno(s p ) =_L, it is the case that u^. window? {h') = 
0. Thus, the induction hypothesis implies that Uk ■ archived-pkts ?(h') = 0. It follows that 
u.archived-pkts? {h') = {id(p)}. Moreover, since u.min-seqno(h') = u.max-seqno{h') = i p , 
it follows that u^.window? {h!) = {id(p)}. Thus, if follows that u.archived-pkts? (h') C 
u.window?(h'), as needed. 

If p is the next packet from s p , that is, Uk.min-seqno(s p ) /_L and i p = Uk-max-seqno(s p ) + 1, 
then rm-send^(p) sets max-seqno{s p ) to i p and adds the element (p, now) to 
archived-pkts. It follows that u.archived-pkts? {h') = Uk-archived-pkts?{h') U {id(p)} 
and u.window?{h') = u^. window? {h!) U {id(p)}. From the induction hypothesis, 

it is the case that u^. archived-pkts? {h') C u/,.window?(h'). Thus, it follows that 
u.archived-pkts? {h') C u.window?(h'), as needed. 

□ process-mpkt/j(p), for p £ -Psrm> such that type{p) £ {DATA, REPL} and source{p) = h': letting 
{s p ,ip) = id(p), we analyze the effects of process-mpkt^(p) by cases. 

First, consider the case where p is the foremost packet from s p ; that is, type{p) = DATA, 
h / s p , and Uk.min-seqno(s p ) =_L. Since Uk.min-seqno(s p ) =_L, it is the case that 
Uk .window? {s p ) = 0. Thus, the induction hypothesis implies that Uk- archived-pkts? (s p ) = 0. 
Since process-mpkt/j(j>) sets both variables min-seqno{h') and max-seqno{h') to i p and adds 
(strip(p), now) to archived-pkts, it follows that u.archived-pkts? {h') = u.window?{s p ) = {id(p)}. 
Thus, it follows that u.archived-pkts? {h') C u.window?{h'). 

Second, consider the case where p is not the foremost packet from s p but is proper; that is, 
U) c .min-seqno(sp) /_l_ and Uk.min-seqno(s p ) < i p . In this case, the process-mpkt/j(p) action: 
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i) adds the element (strip (p), now) to archived-pkts , if h ^ s p A (s p ,i p ) Uk- archived-pkts? , and 
ii) sets max-seqno(sp) to i,, if Uk-max-seqno(s p ) < i p . It follows that u. archived-pkts? (s p ) C 
Ufc. archived-pkts? (s p )U{id(p)} and Ufc.TOndow?(s p )U{«d(p)} C u.window?(s p ). Moreover, from 
the induction hypothesis, it is the case that Uk ■ archived-pkts? (h 1 ) C Uk-window? (h') . Thus, it 
follows that u. archived-pkts? (h 1 ) C u.window?(h'), as needed. 



Invariant 5.5 For h £ H, p £ Frm-Client; owd 0^2/ reachable state u of SRM-RECfr, if p £ 
u. to-be- delivered, then u.min-seqno(source(p)) t^_L and u.min-seqno(source(p)) < seqno(p). 

Proof: From the effects of the process-mpkth(p) action, for h £ H and p G -PsrMj such that 
id(p) = (s p , i p ), it follows that a packet p may be added to to-be- delivered only if h is not the source 
of p and p is a proper packet; that is, h ^ s p , min-seqno(s p ) t^_L, and min-seqno(s p ) < i p . I 

Invariant 5.6 For h,h' £ H and any reachable state u o/ SRM-RECft, it is the case that: 

1. u.min-seqno(h') =_L=> u.expected(h') = 0, 

2. u. delivered (h 1 ) C it. expected (h 1 ), 

3. h = h! A u. status ^ crashed =>- u. expected (h 1 ) = uproper?(h'), and 
4- u. expected (h') ^ =>• u. expected (h 1 ) = uproperf(h') 

Proof: Let a be any finite timed execution of SRM-REC/j leading to u. The proof is by induction 
on the length n £ N of a. For the base case, consider the finite timed execution a of length 0; 
that is, a = u. Since u is a start state of SRM-rec^, it is the case that u.min-seqno(h') =_L, 
u. delivered (h 1 ) = 0, u. expect ed(h') = 0, and uproper?(h') = 0. Thus, the invariant assertion is 
satisfied in u. For the inductive step, consider a timed execution a of length k + 1, for k £ N. Let 
ctfc be the prefix of a containing the first k steps of a and Uk = cxk-lstate. For the step from Uk to 
ii we consider only the actions that affect the variables min-seqno(h'), delivered(h'), expected(h'), 
and proper? (h'). 

O crash^: the crash^ action sets delivered(h') and expected(h') to 0. Thus, the invariant assertion 
is satisfied in u. 

□ rm-leave^: if Uk-status ^ crashed, then the action rm-leave^ reinitializes all the variables of 
SRM-REC/j except the variable now and sets the variables delivered(h') and expected(h') to 0. It 
follows that u.min-seqno(h') =_L, u.delivered(h') = 0, u. expected (h 1 ) = 0, and uproper?(h') = 0. 
Thus, the invariant assertion is satisfied in u. 

Otherwise, if Uk-status = crashed, then the action rm-leave/j does not affect the state of 
SRM-REC^. Thus, the induction hypothesis implies that the invariant assertion is satisfied in 

u. 

O rm-send/j(p), for p £ Frm-Client, such that source(p) = h'\ letting (s p ,i p ) = id(p), we analyze 
the effects of zui-recvh(p) by cases. First, if -^(uk-status = member A h = s p ), then rm-send/j(p) 
does not affect the state of SRM-REC/j. Thus, the induction hypothesis implies that the invariant 
assertion holds in u. 

Second, consider the case where Uk- status = member A h = s p . If p is the foremost packet to 
be transmitted by s p ; that is, Uk-min-seqno(s p ) =_L, then rm-send^(p) sets min-seqno(h') to i p , 
sets expected(h') to suffix(p), and adds id(p) to delivered(h'). The induction hypothesis and the 
fact that Uk-min-seqno(s p ) =_L imply that Uk-expected(s p ) = 0. Moreover, from the induction 
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hypothesis it is the case that Uk-delivered(s p ) C w fe . expected (s p ). Since Uk- expected (s p ) = 0, 
it follows that Uk-delivered(s p ) = 0. Thus, from the effects of rm-send^(p), it follows that 
u. expected (s p ) = suffix(p) and u.delivered(s p ) = {id(p}}. Since id{jp) £ suffix(p), it follows 
that u. delivered (h!) C u. expected (h 1 ). Moreover, since u. proper? \h') = suffix(p), it follows that 
u. expected (h') = u.proper? (h 1 ). Since u.min-seqno(s p ) = i p , u. delivered (h 1 ) C u. expected (h 1 ), 
and u.expected{h') = u.proper? (h!), it follows that the invariant assertion is satisfied in «. 

If p is the next packet from s p , that is, Uk.min-seqno(s p ) t^_L and i p = Uk-max-seqno{s p ) + 1, 
then rm-send/j(p) does not affect min-seqno(h'), sets max-seqno(h') to z p , and adds irf(p) 
to delivered (h'); that is, u.min-seqno(s p ) = Uk-min-seqno(s p ), u.max-seqno(s p ) = i p , and 
u.delivered(s p ) = Uk-delivered(s p ) U {id(p}}. 

Since h = h! A Uk-status ^ crashed, the induction hypothesis implies that U}.. expected (h!) = 
Uk-proper?{h'). Since rm-send/j(p) affects neither min-seqno{h') nor expected(h'), it follows that 
u.proper?{h!) = u^. proper? {h') and u. expected (hi) = u k- expected (hi). Thus, it follows that 
u. expected [h') = u.proper?(h'), as needed. 

From the induction hypothesis, it is the case that Uk-delivered(h!) C Uk-expected{h'). 
Since i p = Uk-max-seqno(s p ) + 1 and u.max-seqno(s p ) = i p , it is the case that 
Uk-max-seqno(s p ) < u.max-seqno(s p ). Thus, Invariant 5.2 implies that Uk-min-seqno(s p ) < i p . 
Since Uk-min-seqno(s p ) < i p , it follows that id(p) £ Uk-proper?(h'). Since 

Uk- expected (h!) = Uk-proper?(h'), it follows that id(p) G Uk ■ expected (h 1 ). Since 

u.delivered(s p ) = Uk-delivered(s p ) U {id(p}}, u^.. delivered (h') C Uk-expected(h'), 
id{p) £ Uk ■ expected (h 1 ), and u. expected (h!) = Uk ■ expected (h') : it follows that 
u.delivered(h') C u. expected (h 1 ). Since u.min-seqno(s p ) /_L, u. delivered (h 1 ) C u. expected (h 1 ), 
and u.expected(h') = u.proper?{h!\ it follows that the invariant assertion is satisfied in «. 

□ rm-recv/j(p), for p G -Prm-Client, such that source(p) = hi: letting (s p ,i p ) = id(p), we analyze 
the effects of rm-recv^(p) by cases. First, consider the case where Uk-expected(h') = 0. From 
the induction hypothesis, it is the case that Uk-delivered(h!) C Uk- expected (h!). Thus, it follows 
that Uk-delivered(h') = 0. Since Uk- expected (h 1 ) = 0, rm-recvh(p) sets expected(h') to suffix(p) 
and adds irf(p) to delivered(h'); that is, u. expected (s p ) = suffix(p) and u.delivered(s p ) = {id(p}}. 
Since «d(p) 6 suffix(p), it follows that u. delivered (h') C u. expected (h 1 ), as needed. 

Since Uk- delivered (h 1 ) = 0, Invariant 5.3 implies that Uk-archived-pkts?(h') = 
Uk-to-be-delivered? \h') . From the precondition of rm-recv^(p), it follows that p is Zi's foremost 
packet from h'; that is, i p = Uk-min-seqno(h'). Since suffix(p) = {{s,i) £ HxN \ s p = sAi p < i}, 
it follows that u.proper? (h!) = suffix(p). Thus, it follows that u. expected (h!) = u.proper?(h'), 
as needed. 

Finally, since p £ Uk -to-be- delivered, Invariant 5.5 implies that Uk-min-seqno(s p ) t^_L. Since 
rm-recv/j(j}) does not affect min-seqno(s p ), it follows that u.min-seqno(s p ) ^_L. Since 
u.min-seqno(s p ) t^_L, u. delivered (h 1 ) C u. expected (h'), and u. expected (h 1 ) = u.proper? '(h'), it 
follows that the invariant assertion is satisfied in u. 

Second, consider the case where Uk-expected(h') / 0. In this case, rm-recv^d?) does not 
affect min-seqno(s p ), does not affect expected(h'), and adds id(p) to delivered (/i'); that is, 
u.proper?(h') = Uk .proper? '(h'), u. expected (s p ) = Uk ■ expected (s p ), and u.delivered(s p ) = 
Uk- delivered (s p ) U {id(p)}. Since Uk- expected (h') / 0, the induction hypothesis implies that 
Uk- expected (h 1 ) = Uk-proper?(h'). Since u.proper?(h') = Uk-proper?(h'), u. expected (s p ) = 
Uk.expected(s p ) , it follows that u. expected (h 1 ) = u.proper? '(h'), as needed. 

Since p £ Uk .to-be-delivered, Invariant 5.3 implies that id(p) £ Uk-archived-pkts? (h 1 ) . Thus, 
Invariant 5.4 implies that id(p) £ u k .window ? (h 1 ) . By definition it follows that window? (h 1 ) C 
proper?(h'). Thus, it is the case that id(p) £ Uk-proper?(h!) and, since u.proper?(h') = 
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u^-proper? (h!) , id(p) £ u.proper?(h'). Thus, it follows that u. delivered (s p ) C u. expected (s p ), 
as needed. 

Finally, since p £ u^ .to-be- delivered, Invariant 5.5 implies that Uk.min-seqno{s p ) t^_L. Since 
rm-recv/j(p) does not affect min-seqno{s p ), it follows that u.min-seqno{s p ) t^_L. Since it is 
the case that u.min-seqno(s p ) /_l_, u. delivered (h 1 ) C u. expected (h 1 ), and u. expected (h 1 ) = 
u.proper?{h'), it follows that the invariant assertion is satisfied in u. 

process-mpkt^(p), for p £ -Psrm> such that source(p) = h': letting (s p ,i p ) = id(p), we analyze 
the effects of process-mpkt/^p) by cases. 

First, if type{p) = DATA, Uk-status = member, h ^ s p , and Uk-min-seqno(h') =_L, then the action 
process-mpkt^(p) sets min-seqno{h') to i p and affects neither delivered{h') nor expected (h' ') . 
Since Uk-min-seqno(h') =_L, the induction hypothesis implies that Uk- expected (h!) = 0. More- 
over, from the induction hypothesis, it is the case that Uk-delivered(h') C u k- expected (h 1 ). Thus, 
since Uk-expected(h') = 0, it follows that Uk- delivered (h') = 0. Since process-mpktft(p) affects 
neither delivered(h') nor expected{h') , it follows that u.delivered{h') = and u. expected {h!) = 0. 
Thus, it follows that u. delivered (h 1 ) C u. expected (h 1 ), as needed. Since h / s p and s p = h! , it 
follows that h ^ h! . Thus, since u.min-seqno{h!) t^_L, u. delivered {h') C u. expected (h'), h ^ b! , 
u. expect ed{h!) = 0, it follows that the invariant assertion is satisfied in u. 

Otherwise, process-mpkt/j(j>) does not affect min-seqno(h'), delivered (h'), and expected(h'). 
Thus, the induction hypothesis implies that the invariant assertion holds in u. 



Invariant 5.7 Let h £ H and u be any reachable state u o/SRM-REC/j. For any p £ -Psrm ; such 
that type(p) £ {DATA,REPL} and p £ u. ms end- buff , it is the case that id(p) £ u.archived-pkts? . 

Proof: Let a be any finite timed execution of SRM-REC/j leading to u. The proof is by induction 
on the length n £ N of a. For the base case, consider the finite timed execution a of length 0; that 
is, a = u. Since u is a start state of SRM-REC/i, it is the case that u.msend-buff = 0. Thus, the 
invariant assertion is trivially satisfied in u. For the inductive step, consider a timed execution a of 
length fc+1, for k £ N. Let «& be the prefix of a containing the first k steps of a and Uk = ctk-lstate. 
For the step from u^ to u we consider only the actions that affect the variables msend-buff and 
archived-pkts. 

□ rm-leave^: the action rm-leave/j initializes the variables msend-buff and archived-pkts. Thus, 
the invariant assertion holds in u. 

□ rm-send/j(p), for p £ -Prm-Client : the action rm-send/^p) adds the packet comp-data-pkt{p) to 
msend-buff if and only if it adds the element (p, now) to the variable archived-pkts . This fact 
and the induction hypothesis imply that the invariant assertion holds in u. 

□ send-repl^(s, i), for s £ H and i £ N: the action send-repl^(s, i) adds the packet pkt = 
comp-repl-pkt(h,p), for p £ -Prm-Client) t £ R- , such that (p, t) £ archived-pkts, and id(p) = 
(s,i) to msend-buff. Since id{pkt) £ Uk-archived-pkts? and the send-repl/j(s,i) action does 
not affect the variable archived-pkts, it follows that id(pkt) £ u.archived-pkts? . The induction 
hypothesis and the facts that pkt £ u.msend-buff and id(pkt) £ u.archived-pkts? imply that the 
invariant assertion is satisfied in u. 

□ process-mpkt^(p), for p £ PsRM) such that source{p) = h': process-mpkt^d)) does not 
affect msend-buff and may only add the element id{p) to archived-pkts? . Thus, the induction 
hypothesis implies that the invariant assertion holds in u. 
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Invariant 5.8 For h G H , p G -Prm-Client; and an V reachable state u of SRM-REC/i, if p G 
u. to-be- delivered , then source{p) 7^ h. 

Proof: From the effects of the process-mpkt h{p) action, for h £ H and p G -Psrm> it follows that 
a packet p may be added to to-be- delivered only if source(p) / h. H 

Invariant 5.9 For h,h' G H and any reachable state u o/SRM-rec^, if u.expected(h') 7^ 0, then 
u. to-be-delivered? (h') C u. expected (h 1 ). 

Proof: Suppose that u. expected {h') 7^ 0. Invariant 5.1 implies that u. status = member. Moreover, 
Invariant 5.6 implies that u. expected {h') = u. proper '?{h'). From Invariant 5.4, it is the case that 
u.archived-pkts?{h') C u.window?{h'). Moreover, since u. status = member, Invariant 5.3 implies 
that u. to-be-delivered? {h') C u.window?{h'). Since by definition u. window ?{h') C u.proper?(h'), it 
follows that u. to-be-delivered? {h') C u.proper?{h'). Finally, since u. expected {h') = u.proper?(h'), 
it follows that u. to-be- delivered? {h') C u. expected (h'). H 

Invariant 5.10 For h,h' G H and any reachable state u of SRM-rec^, it is the case that 
u. to-be-requested (h') C u.window?(h'). 

Proof: Let a be any finite timed execution of SRM-REC/j leading to u. The proof is by induction 
on the length n G N of a. For the base case, consider the finite timed execution a of length 0; 
that is, a = u. Since u is a start state of SRM-REC/j, it follows that u.min-seqno{h') =_L and 
u.to-be-requested{h') = 0. Thus, the invariant assertion is satisfied in u. For the inductive step, 
consider a timed execution a of length k + 1, for k G N. Let a^ be the prefix of a containing the 
first k steps of a and ut = a^.lstate. For the step from Uk to u we consider only the actions that 
affect the variables min-seqno{h'), max-seqno(h'), and to-be-requested (h' ) . 

O mi-leave^: if ut-status = crashed, then rm-leave/j does not affect the state of RM-Clientv 
Thus, the induction hypothesis implies that the invariant assertion is satisfied in u. Otherwise, 
if Uk-status ^ crashed, then rm-leave^ reinitializes all the variables of SRM-REC^ except the 
variable now. It follows that u.min-seqno(h') =_L and u.to-be-requested{h') = 0. Thus, the 
invariant assertion holds in u. 

□ rm-send/j(p), for p G -Prm-Client, such that source(p) = h': letting (s p ,i p ) = id(p), we analyze 
the effects of rm-send/j(p) by cases. First, if -^{ut-status = member f\h = s p ), then rm-send/j(p) 
does not affect the state of RM-Client^. Thus, the induction hypothesis implies that the 
invariant assertion is satisfied in u. 

Second, consider the case where Uk-status = member A h = s p . If Uk-min-seqno{h') =_L, 
then rm-send^(p) sets min-seqno(h') and max-seqno(h') to i p . Since Uk-min-seqno(h') =_L, 
it follows that u^. window? (h') = 0. Thus, the induction hypothesis implies that 
Uk-to-be-requested(h') = 0. Since zm-sendf l (p) does not affect the variable to-be-requested, it 
follows that u. to-be-requested {h') = 0. Thus, the invariant assertion holds in u. 

Otherwise, if Uk-min-seqno(h') ^_L, then rm-send^(p) may only increase the value of the vari- 
able max-seqno{h') and does not affect the variable to-be-requested] that is, u^. window? {h') C 
u.window?{h') and u. to-be-requested {h') = Uk-to-be-requested{h') . Thus, the induction hypothe- 
sis implies that the invariant assertion holds in u. 

□ rep-seqno^(s, i), for s G H, s 7^ h and i G N, such that s = h': first, if -^{u^. status = 
member A Uk-min-seqno(s) t^_L Auk-max-seqno(s) < i), then rep-seqno^(s, i) does not affect the 
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state of SRM-REC/t. Thus, the induction hypothesis implies that the invariant assertion holds 
in u. 

Otherwise, if Uk-status = member, Uk-min-seqno(s) ^_L, and Uk-max-seqno{s) < i, then the 
action rep-seqno/j(s,i) adds {{s,i') \ i' G N,Uk-max-seqno(s) < i! < i} to to-be-requested 
and sets max-seqno(s) to i. Invariant 5.2 and the fact that Uk-max-seqno(s) < i imply that 
Uk.min-seqno(s) < i. Since rep-seqno^(s,i) does not affect the variable min-seqno(s), it follows 
that u.min-seqno(s) < i. Thus, since u.min-seqno(s) < i and u.max-seqno(s) = i, it follows 
that {(s,i') | i' G N,Uk-max-seqno(s) < i' < i} C u. window {h'). This fact and the induction 
hypothesis imply that u. to-be-requested (h!) C u. window? (h 1 ). 

□ schdl-rqst^(s, i), for s G H and i G N, such that s = h': the action schdl-rqst/ l (s,i) 
removes the element {s,i) from the set u^ .to-be-requested and does not affect min-seqno(h') 
and max-seqno(h'). Thus, the induction hypothesis implies that the invariant assertion holds in 

u. 

□ process-mpkt/j(p), for p G -PsRM) such that type{p) = DATA and source{p) = h ': letting 
(s p ,ip) = id(p), we analyze the effects of the process-mpkt^(p) action by cases. First, if 
Uk-status 7^ member, then process-mpkt^(p) does not affect the state of SRM-REC^. Thus, the 
induction hypothesis implies that the invariant assertion holds in u. 

Second, consider the case where Uk-status = member. If h ^ s p and Uk-min-seqno(s p ) =_L, then 
process-mpkt/j(p) sets the variables min-seqno(h') and max-seqno(h') to i p and does not affect 
the variable to-be-requested. Since Uk-min-seqno(h') =_L, it follows that Uk-window? (h!) = 0. 
Thus, the induction hypothesis implies that Uj~-to-be-requested{h') = 0. Since process-mpkt/j(p) 
does not affect the variable to-be-requested, it follows that u.to-be-requested{h') = 0. Thus, the 
invariant assertion holds in u. 

If Uk-min-seqno(sp) t^_L, Uk.min-seqno{s p ) < i p , h ^ s p , and Uk-max-seqno(s p ) < i p , then the 
action process-mpkt/j(jo) adds {(s p ,i) \ i G N,Uk-max-seqno(s p ) < i < i p } to to-be-requested 
and sets max-seqno{h!) to i p . Since Uk-min-seqno(h') < i p and process-mpkt/j(p) does not affect 
the variable min-seqno(h'), it follows that u.min-seqno(h') < i p . Since u.min-seqno(h') < i and 
u.max-seqno(h') = i, it follows that {(s p ,i) \ i G N,Uk-max-seqno(s p ) < i < i p } C u.window(h'). 
This fact and the induction hypothesis imply that u. to-be-requested {h') C u. window ?(h'). 

Otherwise, process-mpkt/j^) does not affect the variables min-seqno(h'), max-seqno(h'), and 
to-be-requested (h' ') . Thus, the induction hypothesis implies that the invariant assertion holds in 

u. 

□ process-mpkt^(p), for p G -PsRM, such that type(p) G {REPL, RQST} and source(p) = h': letting 
(s p ,ip) = id(p), we analyze the effects of the process-mpkt^(p) action by cases. First, if 
Uk-status t^ member, then process-mpkt^(p) does not affect the state of SRM-REC^. Thus, the 
induction hypothesis implies that the invariant assertion holds in u. 

Second, consider the case where u^. status = member. If it is the case that Uk-min-seqno(s p ) t^_L, 
Uk-min-seqno(sp) < i p , h / s p , and Uk-max-seqno(s p ) < i p , then the action process-mpkt/j(p) 
adds {(s p ,i) \ i G N,Uk-max-seqno(s p ) < i < i p } to to-be-requested and sets max-seqno(h') to i p . 
Since Uk-min-seqno(h') < i p and process-mpkt/j(j>) does not affect the variable min-seqno(h'), 
it follows that u.min-seqno{h!) < i p . Thus, since u.min-seqno{h') < i and u.max-seqno{h') = i, 
it follows that {{s p ,i) \ i G N ,Uk-max-seqno(s p ) < i < i p } C u.window{h'). This fact and the 
induction hypothesis imply that u. to-be-requested {h!) C u. window ?(h'). 

Otherwise, process-mpkt/j^) does not affect the variables min-seqno(h'), max-seqno(h'), and 
to-be-requested (h ') . Thus, the induction hypothesis implies that the invariant assertion holds in 
u. 
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Invariant 5.11 For h,h' £ H and any reachable state u of SRM-RECh, it is the case that 
u.scheduled-rqsts? {hi) C u.window?{h'). 

Proof: Let a be any finite timed execution of SRM-REC/j leading to u. The proof is by induction 
on the length n £ N of a. For the base case, consider the finite timed execution a of length 0; 
that is, a = u. Since u is a start state of SRM-rec^, it follows that u.min-seqno{h') =_L and 
u.scheduled-rqsts? {h') = 0. Thus, the invariant assertion is satisfied in u. For the inductive step, 
consider a timed execution a of length k + 1, for k £ N. Let a^ be the prefix of a containing the 
first k steps of a and u^ = a^.lstate. For the step from u^ to u we consider only the actions that 
affect the variables min-seqno(h'), max-seqno(h'), and scheduled-rqsts? (h'). 

□ rm-leave^: if u^-status = crashed, then rm-leave/j does not affect the state of RM-Client^. 
Thus, the induction hypothesis implies that the invariant assertion is satisfied in u. Otherwise, 
if u^. status ^ crashed, then rm-leave/j reinitializes all the variables of SRM-REC/j except the 
variable now. It follows that u.min-seqno(h') =_L and u.scheduled-rqsts? (h 1 ) = 0. Thus, the 
invariant assertion is satisfied in u. 

□ rm-send/j(p), for p £ -Prm-Client, such that source(p) = h': letting (s p ,i p ) = id(p), we analyze 
the effects of rm-send/j(p) by cases. First, if -^{uk-status = member f\h = s p ), then rm-send/j(p) 
does not affect the state of RM-Client^. Thus, the induction hypothesis implies that the 
invariant assertion is satisfied in u. 

Second, consider the case where Uk-status = member A h = s p . If Uk-niin-seqno{h') =_L, 
then rm-send^(p) sets min-seqno{h') and max-seqno{h') to i p . Since Uk.min-seqno{h') =_L, 
it follows that u^. window? {h 1 ) = 0. Thus, the induction hypothesis implies that 
ut-scheduled-rqsts? {h') = 0. Since rm-send^(p) does not affect the variable scheduled-rqsts, it 
follows that u.scheduled-rqsts? {h') = 0. Thus, the invariant assertion holds in u. 

Otherwise, if Uk-min-seqno(h') ^_L, then rm-send^(j») may only increase the value of the vari- 
able max-seqno{h') and does not affect the variable scheduled-rqsts; that is, u^-window? {h') C 
u. window ? {h') and u.scheduled-rqsts(h') = Uk-scheduled-rqsts(h') . Thus, the induction hypothe- 
sis implies that the invariant assertion holds in u. 

O rep-seqno^(s, i), for s £ H, s ^ h and i £ N, such that s = h': first, if -^{uk-status = 
member A Uk-min-seqno(s) /_L Auk-max-seqno(s) < i), then rep-seqno^(s, i) does not affect the 
state of SRM-RECft. Thus, the induction hypothesis implies that the invariant assertion holds 
in u. 

Otherwise, if Uk-status = member, Uk-min-seqno{s) t^_L, and Uk-max-seqno(s) < i, then the ac- 
tion rep-seqno^(s, i) sets max-seqno(h') to i. Since Uk.max-seqno(h') < i and u.max-seqno(h') = 
i, it follows that Uk-max-seqno(h') < u.max-seqno{h') . The induction hypothesis and the fact 
that Uk.max-seqno(h') < u.max-seqno{h') imply that the invariant assertion holds in u. 

O schdl-rqst^(s, i), for s £ H and i £ N, such that s = h': schdl-rqst/j(s,i) adds the 
tuple {s,i) to scheduled-rqsts? {h'). From the precondition of schdl-rqst/j(s,i), it follows 
that {s,i) £ Uk-to-be-requested{h'). Thus, Invariant 5.10 implies that (s, i) £ Uk-window?{h'). 
Since schdl-rqst/j(s,i) does not affect the variables min-seqno{h') and max-seqno(h'), it 
follows that u.window?{h') = Uk-window?(h'). From the induction hypothesis, it is the case 
that u^. scheduled-rqsts? {h') C Uk-window?(h'). Since u. window? {h') = Uj~ ■ window ?{h') and 
u.scheduled-rqsts? {h') = Uk-scheduled-rqsts?{h') U (s,i), it follows that the invariant assertion 
hold in u. 

d send-rqst^(s, i), for s £ H and i £ N, such that s = h': from the precondition of the action 
send-rqst^(s, i), it is the case that (s, i) £ u\^. scheduled-rqsts? {h!\ Since send-rqst/ l (s, i) 
simply backs-offthe request scheduled for (s,i), it does not affect min-seqno(h'), max-seqno(h'), 
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and scheduled-rqsts? \h') . Thus, the induction hypothesis implies that the invariant assertion 
holds in u. 

□ process-mpkt/j(j>), for p G -PsRM, such that type{p) = DATA and source{p) = h!\ letting 
(s p ,ip) = id(p), we analyze the effects of the process-mpkt^(p) action by cases. First, if 
Uk-status 7^ member, then process-mpkt^(p) does not affect the state of SRM-REC^. Thus, the 
induction hypothesis implies that the invariant assertion is satisfied in u. 

Second, consider the case where u^. status = member. If p is neither the foremost nor a 
proper packet from s p , then process-mpkt^(p) affects neither of the variables min-seqno(h'), 
max-seqno(h'), and scheduled-rqsts? (h 1 ). Thus, the induction hypothesis implies that the 
invariant assertion holds in u. 

lip is the foremost packet from s p , then process-mpkt/j(j>) sets the variables min-seqno{h') and 
max-seqno(h') to i p . From the induction hypothesis, it follows that ut- scheduled-rqsts? (h!) = 0. 
Since process-mpkt^d)) may only remove elements from scheduled-rqsts? {h'), it follows that 
u. scheduled-rqsts? {h') = 0. Thus, the invariant assertion holds in u. 

Finally, if Uk-min-seqno(s p ) t^_L, then process-mpkt^(p) may only remove elements from the 
set scheduled-rqsts? {h') and increase the value of max-seqno{h') . Thus, the induction hypothesis 
implies that the invariant assertion holds in u. 

□ process-mpkt^(p), for p £ -PsRM, such that type{p) = REPL and source{p) = h': letting 
{s p ,ip) = id(p), we analyze the effects of the process-mpkt^(p) action by cases. First, if 
Uk-status t^ member, then process-mpkt^(p) does not affect the state of SRM-rec^. Thus, the 
induction hypothesis implies that the invariant assertion is satisfied in u. 

Second, consider the case where u^. status = member. If p is not a proper packet, then the action 
process-mpkt^(p) does not affect the state of SRM-rec^. Thus, the induction hypothesis 
implies that the invariant assertion holds in u. 

If p is a proper packet, then process-mpkt/j(j>) may only remove elements from the variable 
scheduled-rqsts? (h!) and increase the value of max-seqno{h'). Thus, the induction hypothesis 
implies that the invariant assertion holds in u. 

□ process-mpktft(p), for p G -Psrm> such that type{p) = RQST and source{p) = h': letting 
{s p ,ip) = id(p), we analyze the effects of the process-mpkt^(p) action by cases. First, if 
Uk-status t^ member, then process-mpkt^(p) does not affect the state of SRM-REC^. Thus, the 
induction hypothesis implies that the invariant assertion is satisfied in u. 

Second, consider the case where Uk- status = member. If p does not pertain to a proper packet, 
then the action process-mpkt/j(p) does not affect the state of SRM-REC/j. Thus, in this case, 
the induction hypothesis implies that the invariant assertion holds in u. 

If p pertains to a proper packet and h is not the source of p, then process-mpkt/^p) may add the 
tuple id{p) to scheduled-rqsts? {h 1 ) and ensures that i p < u.max-seqno{h') . Thus, the induction 
hypothesis implies that the invariant assertion holds in u. 



Invariant 5.12 For h,h' G H and any reachable state u of SRM-REC^, it is the case that 
u. to-be-requested (h r ) r\u.archived-pkts?(h') = 0. 

Proof: Let a be any finite timed execution of SRM-REC/j leading to u. The proof is by induction 
on the length n £ N of a. For the base case, consider the finite timed execution a of length 0; 
that is, a = u. Since u is a start state of SRM-REC/i, it follows that u.to-be-requested{h') = and 
u.archived-pkts? (h 1 ) = 0. Thus, the invariant assertion is satisfied in u. For the inductive step, 
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consider a timed execution a of length k + 1, for fc € N. Let a^ be the prefix of a containing the 
first k steps of a and Uk = (Xk-lstate. For the step from Uk to u we consider only the actions that 
affect the variables to-be-requested{h') and archived-pkts? (h!) . 

□ rm-leave^: if Uk-status = crashed, then mi-leave^ does not affect the state of RM-Clientv 
Thus, the induction hypothesis implies that the invariant assertion is satisfied in u. Otherwise, 
if Uk-status 7^ crashed, then rm-leave^ reinitializes all the variables of SRM-REC^ except the 
variable now. It follows that u.to-be-requested{h') = and u. archived-pkts? (h!) = 0. Thus, the 
invariant assertion holds in u. 

□ rm-send/^p), for p G -Prm-Client, such that source(p) = hi: letting (s p ,i p ) = id(p), we analyze 
the effects of rm-send/j(p) by cases. First, if -^{uk-status = member A h = s p ), then rm-send/j(p) 
does not affect the state of RM-Client/j. Thus, the induction hypothesis implies that the 
invariant assertion is satisfied in u. 

Second, consider the case where Uk-status = member A h = s p . If p is the foremost packet to be 
transmitted by h', that is, Uk-min-seqno(h') =_L, then it follows that Uk-window? {h') = 0. Thus, 
Invariants 5.4 and 5.10 imply that Uk ■ archived-pkts ?{h') = and Uk-to-be-requested{h') = 0. 
If p is the next packet from h! , that is, Uk.min-seqno{h') ^_L and i p = Uk-max-seqno{h') + 1, 
then it is the case that id{p) Uk -window? {h'). Thus, Invariants 5.4 and 5.10 imply that 
id{p) Uk ■ archived-pkts ?{h') and id{p) Uk-to-be-requested(h') . 

In either case the rm-send^(p) adds id{p) to the variable archived-pkts? {h') and does not 
affect to-be-requested{h'). It follows that u.to-be-requested(h') = Uk .to-be-requested {hi) and 
u. archived-pkts? '{h!) = Uk- archived-pkts? {h') U id{p). From the induction hypothesis, it is 
the case that Uk-to-be-requested{h') n Uk ■ archived-pkts ?{h') = 0. Since it is the case that 
id{p) Uk-to-be-requested{h') , it follows that u.to-be-requested{h') V\ u. archived-pkts? {h!) = 0. 

□ rep-seqno^(s, i), for s £ H,s ^ h and i € N, such that s = hi: first, if -^{uk-status = 
member A Uk-min-seqno(s) t^_L Auk-max-seqno(s) < i), then rep-seqno^(s, i) does not affect 
the state of SRM-REC/i. Thus, the induction hypothesis implies that the invariant assertion 
holds in u. 

Otherwise, if Uk-status = member, Uk-min-seqno(s) /_L, and Uk-max-seqno(s) < i, then the ac- 
tion rep-seqno^(s, i) adds {{s, i') \ i' G N,Uk-max-seqno(s) < il < i} to to-be-requested (h 1 ) and 
does not affect archived-pkts? (h 1 ) . From Invariant 5.4, it is the case that Uk ■ archived-pkts? {hi) C 
Uk-window?{h'). Thus, it follows that Uk- archived-pkts? {hi) PI {{s, i') \ i' G N,Uk.max-seqno{s) < 
i! < i} = 0. From the induction hypothesis, it is the case that Uk-to-be-requested{h') n 
Uk- archived-pkts? {hi) = 0. Thus, it follows that u.to-be-requested{h') n u. archived-pkts? '{hi) = 0, 
as needed. 

□ schdl-rqst^(s, i), for s € H,i G N, such that s = h': the schdl-rqst^(s,i) action removes the 
element {s, i) from to-be-requested {h') and does not affect archived-pkts? {h') . From the induction 
hypothesis, it is the case that Uk .to-be-requested {h') n u. archived-pkts? {h') = 0. Thus, it follows 
that u.to-be-requested{h!) n u. archived-pkts ? {h') = 0, as needed. 

□ process-mpkt/j(p), for p G -Psrm, such that type{p) G {DATA, REPL,RQST}, (s p ,i p ) = id{p), 
and s p = h': the action process-mpkt/j(j>) adds {{s p ,i') \ i! G N,Uk-max-seqno{s p ) < 
il < i] to to-be-requested {hi) only if h ^ s p and Uk-max-seqno{s p ) < i. Moreover, the 
action process-mpkt/^p) removes (s p ,i p ) from to-be-requested{hl) whenever it adds it to 
archived-pkts ? { hi ) . 

Invariant 5.4 implies that Uk-archived-pkts? n {{s p ,i') \ i' G N,Uk-max-seqno{s p ) < il < i} = 0. 
From the induction hypothesis, it is the case that Uk-to-be-requested{h') Hu. archived-pkts? {h') = 
0. Thus, it follows that the invariant assertion holds in u. 



54 



Invariant 5.13 For h,h' G H and any reachable state u of SRM-rec^, it is the case that 
u.scheduled-rqsts?{h') n u. archived-pkts? {h') = 0. 

Proof: Let a be any finite timed execution of SRM-REC/j leading to u. The proof is by induction 
on the length n G N of a. For the base case, consider the finite timed execution a of length 0; 
that is, a = u. Since u is a start state of SRM-REC/i, it follows that u.scheduled-rqsts? {h') = 
and u. archived-pkts? {h') = 0. Thus, the invariant assertion is satisfied in u. For the inductive step, 
consider a timed execution a of length k + 1, for k G N. Let a& be the prefix of a containing the 
first k steps of a and Uk = a^.lstate. For the step from Uk to u we consider only the actions that 
affect the variables scheduled-rqsts? (h') and archived-pkts? {h') . 

O rm-leave^: if Uk-status = crashed, then rm-leave/j does not affect the state of RM-Client^. 
Thus, the induction hypothesis implies that the invariant assertion is satisfied in u. Otherwise, 
if Uk-status ^ crashed, then rm-leave/j reinitializes all the variables of SRM-REC/i except the 
variable now. It follows that u.scheduled-rqsts? (h 1 ) = and u. archived-pkts? (h') = 0. Thus, the 
invariant assertion holds in u. 

□ rm-send/j(p), for p G -Prm-Client, such that source(p) = h': letting (s p ,i p ) = id(p), we analyze 
the effects of rm-send/j(p) by cases. First, if -^{uk-status = member f\h = s p ), then rm-send/j(p) 
does not affect the state of RM-Client^. Thus, the induction hypothesis implies that the 
invariant assertion is satisfied in u. 

Second, consider the case where ut-status = member Ah = s p . If p is the foremost packet to be 
transmitted by h', that is, Uk.min-seqno(h') =_L, then it follows that u^. window? {h') = 0. Thus, 
Invariants 5.4 and 5.11 imply that u&. scheduled-rqsts? {h') = and u^. archived-pkts? {h!^) = 0. 
If p is the next packet from h', that is, Uk-min-seqno{s p ) j^A. and i p = Uk-max-seqno{s p ) + 1, 
then it is the case that id{p) Uk -window? {h'). Thus, Invariants 5.4 and 5.11 imply that 
id{p) Uk- scheduled-rqsts? \h') and id{p) u^. archived-pkts? {h') . 

In either case the rm-send^(p) adds id{p) to the variable archived-pkts? {h') and does not 
affect scheduled-rqsts? (h r ) . It follows that u.scheduled-rqsts? (h r ) = ut- scheduled-rqsts? '(h') and 
u. archived-pkts? {h') = ut ■ archived-pkts? {h') U id{p). From the induction hypothesis, it is 
the case that Uk.scheduled-rqsts?{h') l~l Uk ■ archived-pkts ?{h') = 0. Since it is the case that 
id{p) $l Uk-scheduled-rqsts? {h') , it follows that u.scheduled-rqsts? {h') Du. archived-pkts? (h') = 0, 
as needed. 

□ schdl-rqst^(s, i), for s G H, i G N, such that s = h': the schdl-rqst^(s,i) action schedules 
a request for {s,i) and does not affect archived-pkts? (h 1 ); that is, u.scheduled-rqsts? {h') = 
Uk- scheduled-rqsts? \h') U (s,i) and u. archived-pkts? '(h 1 ) = Uk- archived-pkts? '(h') . 

From the precondition of schdl-rqst^(s,i), it follows that (s,i) G Uk-to-be-requested(h'). 
From Invariant 5.12, it follows that (s,i) Uk-archived-pkts? [h!\ Since it is the case that 
u. archived-pkts? = Uk ■ archived-pkts? ', it follows that (s,i) G" u.archived-pkts?(h'). From the 
induction hypothesis, it is the case that Uk ■ scheduled-rqsts? {h!^) n Uk ■ archived-pkts ?{h') = 0. 
Thus, it follows that u.scheduled-rqsts? {h') flu. archived- pkts ?{h') = 0, as needed. 

□ send-rqst/ l (s,i), for s G H, i G N, such that s = h': from the precondition of send-rqst/j(s,i), 
it is the case that (s,i) G Uk-scheduled-rqsts?{h'). Since send-rqstft(s,i) simply backs-off 
the request scheduled for (s,i), it follows that u.scheduled-rqsts? (h 1 ) = Uk-scheduled-rqsts?(h'). 
Moreover, send-rqst/ l (s,i) does not affect the variable archived-pkts? {h 1 ). Thus, it follows that 
u. archived-pkts? {h') = Uk- archived-pkts? {h') . Thus, the induction hypothesis implies that the 
invariant assertion holds in u. 

□ process-mpkt^(p), for p G -Psrm> such that type{p) G {DATA, REPL} and source{p) = h': in 
this case, if the process-mpkt/j(p) action archives the packet strip(p), then it also cancels any 
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requests scheduled for id(p). Thus, the induction hypothesis implies that the invariant assertion 
holds in u. 

□ process-mpkt/j(j>), for p £ Psrm, such that type(p) = RQST and source(p) = h': in this 
case, the process-mpktft(p) action schedules a request for id(p) only if h 7^ s p and id(p) 
Uk. archived- pkts? {h!) . Thus, the induction hypothesis implies that the invariant assertion holds 
in u. 



Invariant 5.14 Let u be any reachable state of SRM-REC^. For s € H, i € N, t,t f £ K-°, and 

k £ N + , if (s,i,t) £ pending-rqsts and (s,i,t',k) £ scheduled-rqsts , then t < t' . 

Proof: From Assumption 5.1, it is the case that C3 < C\. Thus, the expiration time of the 
back-off abstinence period precedes the transmission time of the respective request. H 

Invariant 5.15 Let u be any reachable state of SRM-REC/j. For h,s £ H and i £ N, if 
the action send-rqst^(s,i) is enabled in u, i.e., u.Pre(send-zqsth(s,i)) = True, then (s,i) 
u. pending-rqsts ? . 

Proof: Suppose that u.Pre(send-rqst/j(s,i)) = True. From the precondition of the action 
send-rqst^(s, i), it follows that there exists k £ N + such that (s,i,t',k) £ scheduled-rqsts, for t' = 
u.now. Invariant 5.14 implies that there does not exist t £ M-° such that (s,i,t) £ pending-rqsts 
and t' < t. Since t! = u.now, it follows that (s,i) u. pending-rqsts? . I 

We proceed by presenting several lemmas pertaining to the RM/ automaton. 

Lemma 5.2 Let p £ -Prm-Client; ol be any finite timed execution fragment of RM/, and u,u' £ 
states (RM/), such that u = a.fstate and u' = a.lstate. If p £ u[SHM].sent-pkts, then it is the case 
that p £ u'[SRM].sent-pkts. 

Proof: Follows directly from the fact that the variable trans-time(p) may only be set by the 
automaton RM/ to a value other than _L. In particular, the variable trans-time(p) may only be set 
by the action rm-sendh(p), for h = source(p), to the value of the variable now of the automaton 
SRM-RECV ■ 

Lemma 5.3 Let s,h £ H, i £ N, and u £ states(RMj) be any reachable state of RM/, such that 
(s,i) £ u[SHM-RECh].archived-pkts? . Moreover, let a be any timed execution fragment of RM/ 
that starts in u, does not contain a rm-leave/j action, and ends in some u' £ statas(RM/). Then, 
it is the case that (s,i) £ u' '[SRM-rec /J. archived-pkts ? . 

Proof: Follows from a simple induction on the length of a. The key point of the induction is 
that none of the actions of SRM-rec^, except the action rm-leave/j which is not contained in a, 
remove elements from or initialize the set SRM-rec h . archiv ed-pkts ? . I 

Lemma 5.4 Let s,h £ H, i £ N, and u £ statas(RM/) be any reachable state of RM/, such that 
(s,i) £ u[SRM-RECft]. scheduled-rqsts? . Moreover, let a be any timed execution fragment of RM/ 
that starts in u, does not contain a rm-leave/j action, and ends in some u' £ statas(RM/). Then, 
either (s,i) £ u'[SRM-RECh].scheduled-rqsts? or (s,i) £ u'ISKM-REChl-archived-pkts? . 
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Proof: Follows from a simple induction on the length of a. The key points of the induction 
are that: i) whenever the elements of SRM-REC/j .scheduled-rqsts pertaining to (s,i) are removed 
from SRM-REC/j. scheduled-rqsts then either another element pertaining to (s,i) is added to 
SRM-REC^. scheduled-rqsts or {s,i) E SRM-RECh-archived-pkts? , and ii) from Lemma 5.3, none 
of the actions of SRM-REC/j, except the action rm-leave^ which is not contained in a, remove 
elements from the set SUM-RECh -archived-pkts?. H 

Lemma 5.5 Let s, h £ H, i £ N, t £ M.-, k £ N + , and u £ states(RMj) be any reachable state of 
RM;, such that v[SKM-RECh].status = member and {s,i,t,k) £ u[SRM-REC^]. scheduled-rqsts. 
Moreover, let a be any timed execution fragment of RM/ that starts in v, contains neither 
crash/j nor rm-leave/j actions, and ends in some vl £ states (RM/), such that t < vl .now and 
(s,i,t',k') £ u'[SRM-recJ. scheduled-rqsts, for t! £ R-° and k' £ N + . Then, it is the case that 
k<k'. 

Proof: Invariant 5.13 and Lemma 5.4 imply that in any state u" in a it is the case that 
(s,i) £ u" [SKM-rec h] ■ s cheduled- rqsts ? . However, since (s,i,t,k) £ u[SRM-rec h]- scheduled-rqsts, 
t < vl .now and time is not allowed to progress past the scheduled transmission time of any request, 
it follows that the request for (s, i) is rescheduled for transmission in a for a point in time no 
earlier than vl '.now. The only actions that may reschedule the request for (s, i) are the actions 
send-rqsth(s,i) and process-mpkth(p), for p £ PsRMj such that id(p) = (s,i) and type(p) = RQST. 
Whenever either of these actions reschedule the request for (s,i), they increment the element of 
the tuple corresponding to the round count. H 

Lemma 5.6 The occurrence of an action send-rqst^(s, i), for h,s £ H, and i £ N, in any 
admissible timed execution a of RM/ is instantaneously succeeded in a by the occurrence of either 
a crash^, rm-leave^, or rec-msend^(p) action, where p £ Psrm is a retransmission request for 
the packet (s, i). 

Proof: The send-rqst^(s,i) action adds a RQST packet for (s, i) to the variable 

SUM-rec h .msend-bujf . Moreover, SRM-REC/j prevents time from elapsing while it is 
the case that SRM-rec^. status / crashed A SRM-rec^. msend-buff / 0. ■ 

Lemma 5.7 The occurrence of an action send-repl/ l (s, i), for h,s £ H and i £ N, in any 
admissible timed execution a of RM/ is instantaneously succeeded in a by the occurrence of either 
a crash/j, rm-leave^, or rec-msend^(p) action, where p £ -Psrm is a retransmission of (reply for) 
the packet (s, i). 

Proof: The send-repl^(s,i) action adds a REPL packet for (s,i) to the variable 

SRM-rec h .msend-buff . Moreover, SRM-REC/j prevents time from elapsing while it is 
the case that SRM-rec^. status / crashed A SRM-REC/j. msend-buff ^ 0. ■ 

Lemma 5.8 The occurrence of an action rec-msend^(p), for h £ H and p £ Psrm ; in any 
admissible timed execution a of RM/ is instantaneously succeeded in a by the occurrence of either 
a crash^, rm-leave^, or msend^(pA;t) action, for pkt £ Pipmcast-Client; such that strip(pkt) = p. 

Proof: The rec-msend^(p) action adds an element to the variable SRM-IPBUFF/j. msend-&Uj(f . 
Moreover, SRM-IPbuff^ prevents time from elapsing while SRM-IPbuff/j. status ^ crashed A 
SRM-IPbuff/*. msend-buff / 0. ■ 
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Lemma 5.9 The occurrence of an action mrecv uipkt), for h £ H and pkt £ i"sRM; i n a state 
u £ states(RM.i) in any admissible timed execution a o/ RM;, such that «[SRM-memJ. status = 
member, is instantaneously succeeded in a by the occurrence of either a crash/j, rm-leave^, or 
process-mpkt/j(p) action, for p £ Psrm? such that p = strip(pkt). 

Proof: Since ufSRM-MEM/J. status = member, the particular occurrence of the mzecvh(pkt) 
action adds an element pertaining to pkt to the variable SUM-IPbvff h-mrecv-buff . More- 
over, SRM-IPbuff^ prevents time from elapsing while SRM-IPbuff^. status 7^ crashed A 
SRM-IPbuff/j. mrecv-buff / 0. ■ 

Lemma 5.10 Let a be any admissible execution of RM/ containing the discrete transition 
(u, 7T, u'), for u,u' £ states(KMi), h £ H, p £ -Prm-Client; {s p ,i p ) = id(p), and tt = rm-send/j(p). 
If it is the case that either u[SRM-RECh].min-seqno(s p ) =_L or u[SRM-REC/J. min-seqno(s p ) /_l_ 
Ai p = ii[SRM-RECft]. max-seqno(s p ) + 1, then the discrete transition (u,ir,u') is instantaneously 
succeeded in a by the occurrence of either a crash/j, rm-leave/j, or rec-msend/^j/) action, for 
p' = comp-data-pkt{p) . 

Proof: Suppose that either ufSRM-REC^]. min-seqno(s p ) =_L or ufSRM-REC^]. min-seqno(s p ) /_l_ 
and i p = ufSRM-REC^]. max-seqno(s p ) + 1. Then, the discrete transition (u,ir,u') adds the 
element p' to SRM-rec h-msend-buff . Moreover, SRM-rec^ prevents time from elapsing while 
SRM-recv status / crashed A SRM-REC h .msend-buff / 0. ■ 

We now present some invariants pertaining to the RM/ automaton. 

Invariant 5.16 For h £ H and any reachable state u o/RM;, it is the case that: 

1. m[RM-Client/j]. status = idle 44> u[SRM-MEU h }. status = idle, 

2. ii[RM-CLlENTft]. status = member 44> u[SRM-MEMh\. status = member, 

3. lifRM-CLlENT/j]. status = crashed 44> u[SRM-MEM/,]. status = crashed, 

4- u[RM- Client h\. status = joining 44> u[SRM-mem/,]. status £ Joining, and 
5. u[RM-ChiENTh\- status = leaving 44> u[SRM-mem h] .status £ Leaving. 

Proof: Let a be any finite timed execution of RM/ leading to u. The proof is by induction on 
the length n £ N of a. For the base case, consider the finite timed execution a of length 0; that 
is, a = u. Since u is a start state of RM/, it is the case that tt[RM-CLiENT/J. status = idle and 
u [SRM-MEMft]. status = idle. Thus, the invariant assertion is satisfied in u. For the inductive 
step, consider a timed execution a of length k + 1, for k £ N. Let a^ be the prefix of a containing 
the first k steps of a and u^ = a^.lstate. For the step from u^ to u we consider only the actions 
that affect the variables RM-Client^. status and SRM-mem^. status. 

□ crash^: the action crash/j sets both variables RM-Client^. status and SRM-MEM/j. status to 
the value crashed. Thus, the invariant assertion holds in u. 

□ rm-join^: from the precondition of the rm-join^ action, it follows that 
tifc [RM-Client/j]. status = idle. From the induction hypothesis it follows that 
u k[SRM-MEM h\. status = idle. Thus, the action rm-join/j sets RM-Client/j. status to joining 
and SRM-MEM^. status to join-rqst-pending; that is, ii[RM-CLlENT/J. status = joining and 
u[SRM-mem h\. status £ Joining. It follows that the invariant assertion holds in u. 
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□ mjoin^: from the precondition of the mjoin^ action, it follows that Ufe[SRM-MEM^]. status € 
Joining. From the induction hypothesis it follows that i^RM-Client^]. status = joining. 
The action mjoin^ sets the variable SRM-MEM/,. status to join-pending and does not affect 
the variable RM-Client/j. status. Thus, it is the case that ufSRM-MEM^]. status £ Joining and 
u[RM-Client/j]. status = joining. It follows that the invariant assertion holds in u. 

□ mjoin-ack^: we first consider the case where «j;[SRM-MEM/,]. status Joining. In this case, 
mjoin-ack^ affects neither RM-Clientv status nor SRM-MEM/,. status. Thus, the induction 
hypothesis implies the invariant assertion in u. 

Second, we consider the case where ^[SRM-mem/j]. status £ Joining. In this case, 
mjoin-ack^ sets the variable SRM-mem^. status to join-ack-pending and does not affect 
RM-Client^. status. Since Ufc[SRM-MEM/j]. status £ Joining, the induction hypothesis 
implies that u^fRM- Client^], status = joining. Moreover, since mjoin-ack/j does not affect 
RM- Client^. status, it follows that ufRM-CLiENT^]. status = joining. Thus, the invariant 
assertion holds in u. 

O rm-join-ack/j: from the precondition of rm-join-ack^, it follows that lifcfSRM-MEM/j]. status 6 
Joining. From the induction hypothesis it follows that n^fRM-CLiENT^]. status = joining. 
Thus, the rm-join-ack/j action sets both SRM-MEM^. status and RM-Client^. status to 
member. It follows that the invariant assertion holds in u. 

O rm-leave^: the reasoning for this action is analogous to that of rm-join^. 

□ mleave^: the reasoning for this action is analogous to that of mjoin^. 

□ mleave-ack^: the reasoning for this action is analogous to that of mjoin-ack/j. 

□ rm-leave-ack^: the reasoning for this action is analogous to that of rm-join-ack^. 



Invariant 5.17 For h £ H and any reachable state u of RM/, it is the case that 
u[RM- Client^], seqno = -u[SRM-reC/J. max-seqno(h). 

Proof: Let a be any finite timed execution of RM/ leading to u. The proof is by induction 
on the length n £ N of a. For the base case, consider the finite timed execution a of length 
0; that is, a = u. Since u is a start state of RM/, it follows that ufRM-CLiENT^]. seqno =_L 
and ufSRM-REC/J. max-seqno(h) =_L. Thus, the invariant assertion is satisfied in u. For the 
inductive step, consider a timed execution a of length k + 1, for k £ N. Let a^ be the prefix of a 
containing the first k steps of a and u^ = a^.lstate. For the step from u^ to u, we consider only 
the rm-send/j(p) action, since this is the only action that affects the variables RM-Client^. seqno 
and SRM-RECV max-seqno(h). 

From the precondition of rm-send^(p), it is the case that -Ufc[RM-CLlENT/j]. status = member, 
source{p) = h, and either i*fc[RM-CLlENT/J. seqno =_L or seqno{p) = u^fRM-CLlENT/j]. seqno + 1. 
The effects of zm-sendf l (p) are to set RM-Clientv seqno to seqno{p). 

Since m^RM-Client^]. status = member, Invariant 5.16 implies that it is the case that 
Ufc[SRM-RECft]. status = member. From the induction hypothesis, it is the case that 
Ufc[RM-CLiENT/j]. seqno = Uk[SKM-RECh].max-seqno(h). Thus, it is the case that either 
Ufc[SRM-REC/J. max-seqno{h) =_L or seqno{p) = Uk[SHM-RECh].max-seqno(h) + 1. In either 
case, the rm-send/j(j}) sets SRM-rec^. max-seqno{h) to seqno{p). Thus, it follows that 
u[RM- Client^], seqno = u[SRM-rec h ]. max- seqno(h). ■ 

Invariant 5.18 For h £ H and any reachable state u o/RM;, it is the case that: 
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1. u[SRM-MEM h ]. status = crashed 44> u[SRM-IPBUFF^]. status = crashed 
Au[SRM-MEMft]. status = member 44> u[SRM-IPbuff^]. status = member, 

2. u[SRM-MEMh\. status = crashed 44> u[SRM-REC^]. status = crashed 
An[SRM-MEM^]. status = member 44> u[SRM-REC^]. status = member, and 

3. u[SRM-MEM/j]. status = crashed 44> u[SRM-REP/j]. status = crashed 
An[SRM-MEM^]. status = member 44> m[SRM-rep^]. status = member. 

Proof: We prove that u[SRM-MEM h }. status = crashed 44> u[SRM-lPBVFF h ]. status = crashed A 
u[SRM-MEMh\. status = member 44> ufSRM-IPBUFF/J. status = member; the proofs of the remaining 
claims are analogous. 

Let a be any finite timed execution of RM/ leading to u. The proof is by induction on the 
length n £ N of a. For the base case, consider the finite timed execution a of length 0; that 
is, a = u. Since u is a start state of RM/, it follows that u[SRM-mem h\. status = idle and 
-ufSRM-IPBUFFfc]. status = idle. Thus, the invariant assertion is satisfied in u. For the inductive 
step, consider a timed execution a of length k + 1, for k £ N. Let at be the prefix of a containing 
the first k steps of a and u^ = a^.lstate. For the step from Uk to u, we consider only the actions 
that affect the variables SRM-mem^. status and SRM-IPbuff^. status. 

□ crash^: the action crash^ sets both variables SRM-mem^. status and SRM-IPbuff/j. status to 
the value crashed. Thus, the invariant assertion holds in u. 

□ rm-join/j: from the precondition of rm-join/j, it follows that Ufc[RM-CLlENT^]. status = 
idle. Invariant 5.16 implies that ii^[SRM-MEM^]. status = idle. Since 
u k[SRM-MEM h\. status {crashed, member}, the induction hypothesis implies that 
Uk[SRM-IP BUFF h]. status g" {crashed, member}. 

Since rm-join/j sets SRM-MEM^. status to join-rqst-pending, it follows that 
n[SRM-MEMji]. status {crashed, member}. Since rm-join^ does not affect the vari- 
able SRM-IPBUFFfr. status, it follows that ■u[SRM-IPbuff/ 1 ,]. status g" {crashed, member}. 
Thus, it follows that the invariant assertion holds in u. 

□ mjoin/j: from the precondition of mjoin^, it follows that itfcfSRM-MEM/J. status £ Joining; that 
is, u/j[SRM-MEM/i]. status {crashed, member}. Thus, the induction hypothesis implies that 
u k[SRM-IP BUFF h]. status g" {crashed, member}. 

Since the action mjoin^ sets the variable SRM-MEM/,. status to join-pending, it follows that 
u[SRM-MEM/j]. status {crashed, member}. Moreover, since mjoin/j does not affect the variable 
SRM-IPbuff/j. status, it follows that u[SRM-IPbuff/j]. status {crashed, member}. Thus, it 
follows that the invariant assertion holds in u. 

□ mjoin-ack^: first, consider the case where ^[SRM-MEM/j]. status Joining. Since in this 
case mjoin-ack/j affects neither SRM-MEM/,. status nor SRM-IPbuff^. status, the induction 
hypothesis implies that the invariant assertion holds in u. 

Second, consider the case where ^[SRM-MEM/,]. status £ Joining. Since 

UijSRM-MEM/,]. status {crashed, member}, the induction hypothesis implies that 
Uk[SRM-lP BUFF h]. status {crashed, member}. Since Ufc[SRM-MEM/J. status £ Joining, 
the action mjoin-ack^ sets SRM-MEM/,. status to join-ack-pending; that is, 
u[SRM-MEM h\. status {crashed, member}. Since mjoin/j does not affect the variable 
SRM-IPbuff^. status, it follows that u[SRM-IPbuff/j]. status g" {crashed, member}. Thus, it 
follows that the invariant assertion holds in u. 

O rm-join-ack^: from the precondition of rm-join-ack^, it is the case that 

u k[SRM-MEM h\. status G Joining. Since jj/c[SRM-mem/,]. status {crashed, member}, 
the induction hypothesis implies that -UfcfSRM- IP buff^]. status {crashed, member}. 
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The action rm-join-ack^ sets SRM-MEM/j. status to member. Since itfc[SRM-IPBUFF/j]. status ^ 
crashed, it also sets SRM-IPbuff^. status to member. It follows that the invariant assertion 
holds in u. 

□ rm-leave/ji from the precondition of the action rm-leave^, it follows 
that ut [RM-CLIENT/j]. status = member. Thus, Invariant 5.16 implies that 
Ufc[SRM-MEM/j]. status = member. Moreover, the induction hypothesis implies that 
Ufc[SRM-IPBUFF/j]. status = member. 

Since -Ufc[SRM-MEM/j]. status = member, the rm-leave^ action sets SRM-MEM/,. status 
to leave-rqst-pending and SRM-IPbuff^. status to idle. Thus, it is the case that 
n[SRM-MEM/,]. status G" {crashed, member} and -u[SRM-IPbufF/j]. status G" {crashed, member}. 
Thus, it follows that the invariant assertion holds in u. 

O mleave^: the reasoning for this action is analogous to that of mjoin/j. 

□ mleave-ack^: the reasoning for this action is analogous to that of mjoin-ack/j. 

□ rm-leave-ack/ji from the precondition of the action rm-leave-ack/j, it follows that 
UfcfSRM-MEM/J. status = leave-ack-pending. Since Ufc[SRM-MEM^]. status G" 
{crashed, member}, the induction hypothesis implies that u/c[SRM-IPbufF/j]. status G" 
{crashed, member}. 

The action rm-leave-ack/j sets SRM-mem^. status to idle and does not affect the variable 
SRM-IPbuff/j. status. Thus, it follows that -u[SRM-MEM/J. status G" {crashed, member} and 
u[SRM-IPbuff/J. status G" {crashed, member}. Thus, it follows that the invariant assertion 
holds in u. 



Invariant 5.19 For any reachable state u of RM/, it is the case that 
u[SRM-RECh]-archived-pkts? C u[SRM].sent-pkts? , for all h G H. 

Proof: Let a be any finite timed execution of RM/ leading to u. The proof is by strong induction 
on the length n G N of a. For the base case, consider the finite timed execution a of length 0; that 
is, a = u. Since u is a start state of RM/, it is the case that u[SRM-rec h]- archived- pkts? = 0, for 
all h £ H, and u[SRM]. sent-pkts? = 0. Thus, the invariant assertion is trivially satisfied in u. For 
the inductive step, consider a timed execution a of length k + 1, for k G N. Let «& be the prefix of a 
containing the first k steps of a and u^ = a^.lstate. For the step from u^ to u we consider only the 
actions that affect the variables SRM-rec h ■ archived- pkts ? , for all h £ H, and SRM. sent-pkts? . 

□ rm-leave^, for h £ H: the action rm-leave^ reinitializes the variable SRM-RECh-archived-pkts . 
Thus, since -u[SRM-reC/j]. archived- pkts = 0, it follows that u[SRM-RECh]-archived-pkts? C 
u[SRM\. sent-pkts?. 

□ rm-send/j(p), for h G H andp G Prm-Client : the action rm-send/j(p) adds the element {p, now) to 
the variable SRM-RECh-archived-pkts if and only if it sets the variable SRM-rec^. trans-time(p) 
to now; that is, it adds the element id{p) to SRM-RECh-archived-pkts? if and only if it adds it to 
SRM. sent-pkts?. Thus, the induction hypothesis implies that u[SRM-rec h]-archived-pkts? C 
u [SRM]. sent-pkts?. 

□ process-mpkt/j(p), for h G H and p G -PsRM; such that type{p) G {DATA,REPL}: from the pre- 
condition of process-mpkt^d)), it follows that there exists pkt G Uk[SRM-IPBUFFh]-mrecv-buff , 
such that strip{pkt) = p. Since the only action that may add pkt to the variable 
SRM-IPBUFF/j.mrecu-6ujff is mrecvh(pkt), it follows that the action process-mpkt/j(j?) is pre- 
ceded in ak by an action mrecvh(pkt). Let (u2,mrecvh(pkt),ui) be the discrete transition in 
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ak corresponding to the particular occurrence of the action mrecv h(pkt) . Lemma 5.1 implies 
that the action mrecvh(pkt) is preceded in «& by an action ms end y (pkt) , for some h! £ H. Let 
(u4,msei\.dh'(pkt),U3) be the discrete transition in a& corresponding to the particular occurrence 
of the action msendh' (pkt) . From the precondition of the action msend/j/ (pkt) , it follows that 
pkt £ u 4 [SRM-IPbuff h i\. msend-buff . 

Since the only action that may add packets of type DATA or REPL to the variable 
SRM-IPbuff/j/ .msend-buff is the action rec-msend/j/(p), it follows that an action 
rec-msend^/(p) precedes U4 in a^. Let (u6,rec-msend/j/(p), u§) be the discrete transition 
in ak corresponding to the particular occurrence of the action rec-msend/j/(p). From the 
precondition of the action rec-msend^(p), it follows that p £ UQ[SRM-RECh>].msend-buff . 
Invariant 5.7 implies that id(p) £ uq[SRM-rec h>].archived-pkts?. From the induction 
hypothesis it is the case that uq[SRM-rec yj.archived-pkts? C UQ[SRM].sent-pkts?. Thus, 
Lemma 5.2 implies that id(p) S u[SRM].sent-pkts? . Since the action process-mpkt/j(p) 
may only add the tuple (strip (p), now) to the variable m[SRM-rec y\.archived-pkts ^ 
the fact that id(p) £ u[SHM].sent-pkts? and the induction hypothesis imply that 
u[SHM-RECh]-archived-pkts? C u[SHM].sent-pkts?, as needed. 



Invariant 5.20 For h € H and any reachable state u of RM/, it is the case that 
u[SRM-REC h ].to-be-delivered? C u[SRM].sent-pkts?. 

Proof: Invariant 5.3 implies that, for h' £ H, it is the case that 

u[SRM-REC/J .to-be- delivered? '(ti) C u[SRM-RECh].archived-pkts?(ti). Thus, it is the case 

that u[SRM-RECh]-to-be-delivered? C u[SRyi-RECh].archived-pkts? . Invariant 5.19 implies that 

u[SRM-REC h ].to-be-delivered? C u[SRM]. sent-pktsl. ■ 



5.4.3 Relation Definition 

We define a relation, R, from RM/ to RM S (A), for any A £ R^° U 00. 

Definition 5.1 Let R be the relation between states ofRMj and RMg(A), for any A £ R-° U 00, 
such that for any states u and s of RM/ and RMg(A), respectively, (u,s) £ R provided that, for 
all h,h' £ H and p £ Prm-Client; such that (s p ,i p ) = id(p), it is the case that: 

s.now = u.now 
s[RM-Client/j]. status = u[RM-ChiENT h ]. status 
s[RM- CLIENT^], seqno = u[RM-Client a ]. seqno 

'idle if u[SRM-MEMj,]. status = idle 

joining if u[SRM-MEMh\. status £ Joining 
leaving if u[SRM-MEMh\. status £ Leaving 
member i/u[SRM-MEM/j]. status = member 
crashed i/u[SRM-MEM/j]. status = crashed 
s[RM(A)].trans-time(p) = u[SRM-rec s J. trans-time (p) 
s[RM( A)}. expected (h, h!) = u[SRM-REC h }. expected (h') 
s[RM(A)].delivered(h,h') = u[SRM-REC h ]. delivered(h') 



s[RM( A)}, status (h) 
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5.4.4 Safety Analysis 

In this section, we show that our reliable multicast implementation RM/ indeed implements the 
reliable multicast service specification RMg(oo). The following lemma states that the relation R 
of Definition 5.1 is a timed forward simulation relation from RM/ to RMs'(oo). 

Lemma 5.11 R is a timed forward simulation relation from RM/ to RMg(oo). 

Proof: We must show that: i) if u G stori(RMj), then there is some s G start (RM 5(00)) such 
that (u, s) G R, and ii) if u is a reachable state of RM/, s is a reachable state of RMs(oo) such 
that (u,s) G R, and (u,tt,u') G irans(RM/), then there exists a timed execution fragment a of 
RMs(oo) such that: a.fstate = s, ttrace(a) = ttrace(inru'), the total amount of time-passage in a 
is the same as the total amount of time-passage in uiru' , and (u 1 , s') G R, for s' = a.lstate. 

The satisfaction of the start condition is straightforward. For the step, we consider only the actions 
in acts(RM/) that affect the variables of RM/ that are used in R to obtain the corresponding state 
in RMs(oo). Moreover, since the client automata RM-Client/j, for all h G H, are identical in 
both RM/ and RMs(oo), we do not consider the effect of the actions of RM/ on the state of the 
client automata. Thus, we consider only the actions of the SRM component of RM/ that affect 
the variables of SRM that are present in R. 

□ crash/j, for any h G H: the corresponding execution fragment of RMs(cx>) is comprised solely of 
the crash/j action. The crash/j action of RM/ simply sets the variable u[SRM-MEM^]. status to 
crashed and resets n[SRM-REC /J. expected (h 1 ) and u[SRM-REC^]. completed (h 1 ), for all h! G H. 
It is straightforward to see that the crash^ action of RMs(oo) mirrors these effects. Thus, it 
follows that (V, s') G R. 

□ rm-join/j, for any h G H: the corresponding execution fragment of RMs(oo) is comprised solely 
of the rm-join/j action. It is straightforward to see that the effects of the rm-join/j action in 
the specification correspond to those in the implementation. 

□ mjoin^, for any h G H: the corresponding execution fragment of RMs(oo) is the empty 
timed execution fragment. Since the mjoin^ action is enabled in state u, it follows that 
u[SRM-MEM/j]. status G Joining. Thus, R implies that s[RM(oo)]. status (h) = joining. The 
effects of the mjoin/j action are to set the status variable to join-pending. It follows that 
i/[SRM-MEM/j]. status G Joining. Since the corresponding execution fragment of RMs(cx)) is the 
empty timed execution fragment it is the case that s' = s and s'[RM(oo)]. status (h) = joining. 
Thus, it follows that (u',s') G R. 

□ mjoin-ack^, for any h G H: the corresponding execution fragment of RMs(cx>) is the 
empty timed execution fragment. The mjoin-ack^ action affects the state of the SRM-mem^ 
automaton only when the host h is in the process of joining the reliable multicast group; that 
is, n[SRM-MEM/j]. status G Joining. Thus, R implies that s[RM(oo)]. status (h) = joining. The 
effects of the mjoin-ack/j action are to set the status variable to join-ack-pending. It follows 
that u'[SRM-MEM/j]. status G Joining. Since the corresponding execution fragment of RMs(oo) 
is the empty timed execution fragment it is the case that s' = s and s'[RM(oo)]. status (h) = 
joining. Thus, it follows that (u',s') G R. 

□ rm-leave/j, for any h G H: the corresponding execution fragment of RMg(oo) is comprised solely 
of the rm-leave^ action. From the precondition of the rm-leave^ action in the RM-Client^ 
automaton, it follows that u[RM-Client^]. status = member. Thus, Invariant 5.16 implies that 
m[SRM-MEM/,]. status = member and, since (u,s) G R, it is the case that s[RM(oo)]. status (h) = 
member. 
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Since «[SRM-MEM/,]. status = member, the rm-leave^ action of RM/ sets the status variable 
of SRM-MEM^ to leave-rqst-pending. The rm-leave/j action of RMs(oo) sets the status (h) 
variable of RM(oo) to leaving. Thus, it follows that u' [SRM-MEM/J. status G Leaving and 
s'[RM(oo)]. status (h) = leaving, as required by R. 

Moreover, the rm-leave^ action of RM/ resets the expected and delivered packet sets of 
SRM-REC/j; that is, u' [SRM-REC h ]. expected (h') = and u'[SRM-REC h }. delivered(h') = 0, 
for all h! G H. Similarly, the rm-leave^ action of RMs(oo) also resets the variables 
expected (h,h') and delivered(h,h'), for b! G H; that is, s'[HM(oo)]. expected (h, h') = and 
s'[RM(oo)].delivered(h, ti) = 0. Thus, it follows that (u',s') G R. 

□ mleave/j, for any h G H: the corresponding execution fragment of RMs(oo) is the empty 
timed execution fragment. Since the mleave/j action is enabled in state u, it follows that 
u[SHM-MEMh\. status G Leaving. Thus, R implies that s[RM(oo)]. status (h) = leaving. 
The effects of the mleave^ action of RM/ are to set the status variable of SRM-mem^ to 
leave-pending. It follows that u'[SRM-MEM^]. status G Leaving. Since the corresponding 
execution fragment of RMs(oo) is the empty timed execution fragment it is the case that s' = s 
and s'[RM(oo)]. status (h) = leaving. Thus, it follows that (u',s') G R. 

□ mleave-ack^, for any h G H: the corresponding execution fragment of RMs(cx)) is the 
empty timed execution fragment. The mleave-ack^ action affects the state of the SRM-mem^ 
automaton only when the host h is in the process of leaving the reliable multicast group; that is, 
u[SRM-MEM^]. status G Leaving. In this case, R implies that s[RM(oo)]. status (h) = leaving. 
The effects of the mleave-ack/j action of RM/ are to set the status variable of SRM-mem^ to 
leave-ack-pending. It follows that m'[SRM-MEM/,]. status G Leaving. Since the corresponding 
execution fragment of RMs(oo) is the empty timed execution fragment it is the case that s' = s 
and s'[RM(oo)]. status (h) = leaving. Thus, it follows that (u',s') G R. 

O rm-join-ackft, for any h G H: the corresponding execution fragment of RM,s(c>o) is comprised 
solely of the rm-join-ack/j action. We begin by showing that the rm-join-ack^ action of 
RMg(oo) is enabled in s. The precondition of the rm-join-ack/j action of RM/ implies that 
u[SRM-MEM/,]. status G Joining. Since (u,s) G R, it follows that s[RM(oo)]. status (h) = 
joining. Thus, it follows that the rm-join-ack^ action of RMs(oo) is enabled in s. 

The rm-join-ack^ action of RM/ sets the status variable of SRM-MEM^ to member. Similarly, 
the rm-join-ack/j action of RM,5(oo) sets the status{h) variable of RMg(oo) to member. Thus, 
it follows that (u',s') G R. 

□ rm-leave-ack/j, for any h G H: the corresponding execution fragment of RMs(oo) is comprised 
solely of the rm-leave-ack/j action. We begin by showing that the rm-leave-ack/j action 
of RMs(oo) is enabled in s. The precondition of the rm-leave-ack/j action of RM/ implies 
that u[SRM-MEMft]. status G Leaving. Since (u,s) G R, it follows that s[RM(oo)]. status (h) = 
leaving. Thus, it follows that the rm-leave-ack^ action of RM,s(cx)) is enabled in s. 

The rm-leave-ack/j action of RM/ sets the status variable of SRM-MEM^ to idle. Similarly, 
the rm-leave-ack^ action of RMs(oo) sets the status{h) variable of RMs(cx>) to idle. Thus, 
it follows that (u',s') G R. 

□ rm-send/j(p), for any h G H and p G -Prm-Client: the corresponding execution fragment of 
RM,s(cx>) is comprised solely of the rm-send/j(p) action. Let s p and i p denote the source and 
sequence number of p, respectively. 

From the precondition of the rm-send/j(p) action of RM/, it follows that 

u[RM- CLIENT^], status = member and h = s p . Invariant 5.16 implies that 

u[SRM-MEM^]. status = member and, since (u,s) G R, it is the case that 
s[RM(oo)]. status (h) = member. 
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We consider the effects of rm-send^(p) according to whether p is the foremost packet 
from h. First, consider the case where p is the foremost packet from h; that is, 
■u[SRM-REC/i]. min-seqno(sp) =_L. In this case, the rm-send/j(p) action of RM/ sets the 
expected set from h to the set suffix(p), adds id(p) to the set of delivered packets from h, and 
records the transmission time of p. 

Since it is the case that u[SRM-REC^]. min-seqno(s p ) =_L, Invariant 5.6 implies that 
u[SRM-RECh\- expected (s p ) = 0. Since (u,s) £ R, it follows that s[RM(co)]. expected (h, h) = 0. 
Thus, the zm-sendh^p) action of RMg(oo) matches the effects of the rm-send^(p) action of 
RM/. It follows that (u',s') £ R. 

Second, consider the case where p is not the foremost packet from h; that is, 
u[SRM-recJ. min-seqno(sp) t^_L. In this case, Invariant 5.17 and the precondition of 
rm-send/j(p) imply that i p = -ufSRM-REC/J. max-seqno(s p ) + 1. Thus, the rm-send^(p) action 
of RM/ records the transmission time of p and adds id{p) to the set of delivered packets from 
h. 

Since it is the case that i p = u[SHM-RECh\-'max-seqno(s p ) + 1, Invariant 5.2 implies that 
u[SRM-REC/iJ. min-seqno(sp) < i p . Thus, it follows that id(p) £ u[SRM-RECf,] .proper? (h). 
Since ufSRM-MEM^]. status = member, Invariant 5.6 implies that -u[SRM-REC/t]. expected (h) = 
u[SRM-KEC h ] .proper? (h). Thus, it follows that id(p) G u[SRM-REC h ]. expected (h). Since 
(u,s) £ R, it is the case that s[RM(oo)].expected(h, h) = -u[SRM-rec h\. expected (/i). Thus, 
it follows that id{p) £ s[RM(oo)]. expected (h, h). Thus, the zm-sendf l (p) action of RM5(oo) also 
records the transmission time of p and adds p to the set of delivered packets from h. Thus, it 
follows that (u',s') £ R. 

O rm-recv/j(p), for any h £ H and p £ Prm-Client-: the corresponding execution fragment of 
RM,s(c>o) is comprised solely of the rm-recvft(p) action. Let s p and i p denote the source and 
sequence number of p, respectively. 

We first show that the rm-recv/j(j?) action of RMs(oo) is enabled in the state s. From the pre- 
condition of the rm-recv/j(j>) action of RM/, it follows that u[SRM-recJ. status = member 
and p £ u[SHM-RECh\.to-be-delivered. Invariant 5.18 implies that u[SRM-memJ. status = 
member and, since (u,s) £ R, it follows s[RM(oo)]. status (h) = member. Since p £ 
u[SHM-RECh].to-be-delivered, Invariant 5.8 implies that h ^ source{p). Moreover, Invariant 5.20 
implies that p £ u[SHM].sent-pkts. Since (u, s) £ R, it follows that p £ s[RM.(oo)].sent-pkts . 

We proceed by showing that s satisfies the last two terms in the precondition of rm-recv/j(p) 
in RMs(oo). Since the delivery delay parameter A is equal to oo for the RMs(oo) automaton, 
s[RM(oo)] trivially satisfies the term expected(h, s p ) = => now < trans-time{p) + A. 

Finally, we show that s[RM(oo)] satisfies the term expected(h, s p ) / =^> id(p) £ expected(h, s p ). 
Suppose that it is the case that s[RM(oo)].expected(h, s p ) / 0. Since (u, s) £ R, it follows that 
u[SHM-RECh\- expected (s p ) ^ 0. Thus, since p £ -ufSRM-RECfe] .to-be-delivered, Invariant 5.9 
implies that id{p) £ u[SRM-rec h\. expected (s p ). Finally, since (u,s) £ R, it follows that 
id(p) £ s[RM(oo)]. expected (h, s p ), as needed. 

The rm-recv/^p) action of RM/ sets the expected set of packets from s p to the set suffix(p), 
unless already non-empty, and adds p to the set of delivered packets from s p . The rm-recv/j(p) 
action of RM(oo) matches precisely the effects of the rm-recv/^p) action of RM/. Thus, it 
follows that (V, s') £ R. 

□ v(t), for any t £ R-°: the corresponding execution fragment of RMs(oo) is comprised solely of 
the v{t) action. Since the effects of the v{t) actions of the RM/ and the RMs(cx>) automata 
are identical, it suffices to show that the v{t) action is enabled in s. Since the delivery delay 
parameter A is equal to oo for the RMg(oo) automaton, the term now + t< trans-time{p) + A 
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of the precondition of the v{t) action of RM5(oo) is satisfied for all p G -Prm-Client- Thus, it 
follows that the i/(t) action of RMs(cxo) is enabled in s. 



Theorem 5.12 RM/ < RM 5 (oo) 

Proof: Follows directly from Lemma 5.11. 



5.4.5 Liveness Analysis 

In this section, we show that, under certain constraints, RM/ implements RMs(A), for any 
A G M^°. 

Definitions 

Suppose p G Prm-Client; pkt G -PsRM; and a is an admissible timed execution of RM/ that contains 
the transmission of p; that is, a contains the action rm-send^(p), for h G H,h = source{p). For 
pkt G -PsRM; we say that pkt pertains to p if type(pkt) G {DATA, RQST, REPL} and id(pkt) = id(p). 
We let -Psrm[p] denote the elements of Psrm that pertain to p. 

We let the number of packet drops in a pertaining top, denoted a.drops{p), be the number of packet 
drops suffered by packets pertaining to p; that is, a.drops(p) is the number of occurrences of an 
action mdrop(pAtf', Hd) in a, for pkt' G -Pipmcast-Client and Hd C H, such that strip(pkt') G PsrmH- 

We let aexecsyt(RMj), for k G N + , be the set of admissible timed executions of RM/ in which the 
number of packet drops suffered by the packets pertaining to the transmission and, potentially, the 
recovery of any packet p is at most k. That is, a G aexecsfc(RMj) iff a.drops(p') < k, for any packet 
p' G -Prm-Client transmitted in a. Finally, we let attracesfc(RMj) be the traces of all executions of 
RM/ in aexecsfc(RMj). 

We let the transmission time of p in a, denoted a. trans-time (p), be the point in time in a at 
which p is transmitted; that is, the time of occurrence of rm-send^(j)) in a. Since packets are 
transmitted by the clients of the reliable multicast service at most once (Lemma 4.2), it follows 
that the transmission time of any packet transmitted in any admissible timed execution of RM/ is 
well-defined and unique. 

Execution Constraints 

We proceed by defining several constraints on admissible executions of RM/. These constraints 
facilitate the statement of conditional claims regarding the timely transmission of packets for RM/. 

Constraint 5.1 (No Crashes) Let a be any admissible timed execution of RM/. None of the 
hosts crash in a; that is, for any h G H , no crash/j actions occur in a. 

Constraint 5.2 (No Leaves) Let a be any admissible timed execution o/RM/. None of the hosts 
leave the reliable multicast group in a; that is, for any h G H, no rm-leave^ actions occur in a. 



Let d, d G K- , such that d > 0, d > 0, and d < d. The following constraint specifies the set of 
executions of RM/ in which the transmission latency between any two hosts h,h' G H,h ^ hi is 
bounded from below and above by d and d, respectively. 
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Constraint 5.3 (Bounded Inter-host Transmission Latencies) Let a be any admissible 
timed execution of RM/ and h, h! be any two distinct hosts in H. The transmission latency 
incurred by any packet multicast using the IP multicast service by h and received by h! in a lies 
in the interval [d,d\; that is, if p £ -Pipmcast-Client is a packet multicast by h in a, then the time 
elapsing from the time of occurrence of the action msend/j(p) to that of any action mrecv^^p) lies 
in the interval [d, d] . 

The following constraint specifies the set of executions of RM/ in which the fate of any packet 
transmitted using the IP multicast service is resolved within d time units. 

Constraint 5.4 (Bounded Transmission Resolution) Let a be any admissible execution of 
RM/ containing the discrete transition (u,ir,u'), for u,u' £ states (RM/) ; h £ H, p £ 
-Pipmcast-Client; o,nd n = msend/j(p). Then, for all h! £ u[IPmcast]. members, h! 7^ h, either a 
crash/j/, rm-leave/j/, mrecv/j/(p), or mdrop(p, Ha), for H^ C H , h! £ H^, action occurs no later 
than d time units after the particular occurrence of the discrete transition (u,ir,u') in a. 

The following constraint specifies the set of executions of RM/ in which the inter-host distance 
estimates of any host always lie in the interval [d, d] . The satisfaction of this constraint requires 
that DFLT-DIST £ [d,d\. 

Constraint 5.5 (Bounded Inter-host Distance Estimates) Let a be any admissible timed 
execution of RM/. For any state u of RM/ in a, the inter-host distance estimates of the 
recovery component of each reliable multicast process of RM/ lie in the interval [d,d\; that is, 
u[SRM-REC h ].dist(h') £ [d,d], for all h,ti £ H,h^ h' . 

Letting DET-BOUND £ M-°, such that d < DET-BDUND, the following constraint specifies the set of 
executions of RM/ in which the delay in detecting packet losses is bounded by DET-BOUND. 

Constraint 5.6 (Bounded Detection Latency) Let a be any admissible timed execution of 
RM/. Let p £ -Prm-Client be any packet transmitted in a, id{p) = (s p ,i p ), and h £ H,h 7^ s p . 
Moreover, let u be any state of RM/ in a such that a. trans-time (p) + DET-BOUND < u.now. 
Then, if id(p) £ u[SRM-REC ^]. expected (s p ) , then either id(p) £ u[SKM-rec h]-delivered(s p ) or 
id{p) £ u[SRM-RECh]-scheduled-rqsts? . 

Let C-aexecs(RMj) be the set of all admissible timed executions of RM/ in aexecs^RMj) that 
satisfy Constraints 5.1, 5.2, 5.3, 5.4, 5.5, and 5.6. Let C-attraces(RMj) be the traces of all 
the executions of RM/ in C-aexecs(RMj). Let C-aexecsfc(RM/), for k £ N + , be the subset of 
aexecSfc(RM/) comprised of all admissible timed executions of RM/ that satisfy Constraints 5.1, 
5.2, 5.3, 5.4, 5.5, and 5.6; that is, for k £ N + , C-aexecsfc(RM/) = aexecsfc(RM/) n C-aexecs(RM/). 
Moreover, let C-attraces ^(RM/) be the traces of all executions of RM/ in C-aexecs &(RM/). 

Execution Definitions 

Let a' be any admissible timed execution in C-aexecs (RM/). We say that the host h detects the 
loss of p in a' if it schedules a request for p £ Prm-Client in a'- If the host h detects the loss of 
p in a', then we let a' .det-timeh{p) denote the point in time in a' at which h detects the loss of 
p. We let a' .det-latencyh(p) denote the loss detection latency of p for h in a'; that is, the time 
elapsing from the time p is transmitted to the time the host h detects the loss of p in a' . We let 
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a' .rec-latency h(p) denote the loss recovery latency of p for h in a'; that is, the time elapsing from 
the time the host h detects the loss of p to the time it receives p in a'. 

When a host h £ H schedules a request for p £ -Prm-Client with a back-off of k — 1, for any k £ N + , 
we say that it initiates a k-th recovery round for p. Each recovery round (except the first) also 
initiates a back-off abstinence period. Any request for p received during this back-off abstinence 
period is discarded. If the packet p is received while a scheduled request for p by h is awaiting 
transmission, then the scheduled request is canceled. Once the back-off abstinence period expires, 
either the reception of a request for p or the transmission of the scheduled request for p by h 
initiates the k + 1-st recovery round for p at h. In this case, we define the k-th round request of h 
for p to be the request for p upon whose reception or transmission the host h initiates the k + 1-st 
recovery round for p. Moreover, we define the completion time of the k-th recovery round for p of 
h to be the point in time at which h either receives p or initiates its k + 1-st recovery round for p. 

Suppose that a host h! £ H receives the k-th round request of h for p while it is a member of 
the reliable multicast group and after archiving the packet p. When h! receives this request, either 
i) a reply for p is already scheduled, ii) a reply for p is already pending, or iii) a reply for p is 
neither scheduled, nor pending. In the case where a reply for p is already scheduled, /i's request 
for p is discarded. Moreover, the reply that is already scheduled at hi is considered to be the reply 
pertaining to the fc-th round request of h for p. In the case where a reply for p is already pending, 
h's request for p is discarded. Moreover, the reply that is pending at hi is considered to be the reply 
pertaining to the k-th round request of h for p. Finally, in the case where a reply for p is neither 
scheduled, nor pending, hi schedules a reply for p. The reply that is either received or transmitted 
by hi and that results in the cancellation of the reply scheduled by hi for p is considered to be the 
reply to the k-th round request of h for p. 

Liveness Proof 

Lemma 5.13 Let a be any admissible timed execution of RM/ that satisfies Constraint 5.3 
and contains the occurrence of a discrete transition (it, it, vl), for u,u' £ ste(RMj), h £ H, 
p £ -Pipmcast-Client; and 7r = mrecv/i(p). Then, any other mrecv^'(p), for hi £ H,h' ^ h, in a 
occurs no earlier and no later than d — d time units from the particular occurrence of (it, n, u') in 

a. 

Proof: Let (v,tt,v'), for v,v' £ states(RMf), hi £ H,h' / h, p £ -Pipmcast-Client , and 
7r = msendh'(p) be the discrete transition in a involving the transmission of p. Constraint 5.3 
implies that the time elapsing from the time of occurrence of the action msend/j/(p) to that of any 
action mrecv^»(p), for h" £ H,h" ^ hi lies in the interval [d,d]. Thus, any two such actions are 
separated in time by at most d — d time units. H 

Definition 5.2 Let h £ H , k £ N + , p £ Prm-Client? { s ,i) = id(p), and a £ C- aexecs (RM /) . 
We say that h either sends or receives its k-th round request for p and schedules its k + 1- 
st round request for p upon the occurrence of a discrete transition (it, ir, u') in a such that 
{s,i,t,k) £ u[SRM-RECh]-scheduled-rqsts and (s, i,t',k+l) £ u'[SRM-RECh]-scheduled-rqsts, for 
some t,t' £ K-°. 

Lemma 5.14 Let k £ N + , k > 1, h £ H , p £ Prm-Client; and a £ C-aexecs(RMi) such that a 
contains the transmission of p. Suppose that the host h schedules k-th and k+l-st round requests for 
the packet p in a. Let tk, ife+i £ K- be the points in time in a at which the host h schedules its k-th 
and k + l-st round requests for p, respectively. Then, it is the case thattk+i < tk + 2 fc ~ 1 ((7i + C2)d. 
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Proof: This follows from the fact that time in the SRM-rec^ automaton is not allowed to elapse 
past the transmission time of any scheduled request. Constraint 5.5 implies that the k-th round 
request is scheduled for transmission no later than t k + 2 k ~ l (C\ + C 2 )d. Thus, if no request is 
received by h prior to the time at which its k-th round request for p is scheduled for transmission, 
then h transmits its k-th round request. Thus, h either sends or receives its k-th round request for 
p no later than tk + 2 (Ci + C 2 )d, as required. H 

Corollary 5.15 Letk G N + , h G H, p G -Prm-Client; and a G C-aexecs (RM/) suc/i that a contains 
the transmission of p. Suppose that the host h schedules k-th and k + 1-st round requests for the 
packet p in a. Let tk+i G R-° 6e i/ie point in time in a at which the host h either sends or receives 
its k-th round request for p and schedules its k + l-st round request for p. Then, it is the case that 
tk+i < a.det-time h (p) + (2 fc - l)(d + C 2 )d. 

Proof: Follows from Lemma 5.14 and the fact that h detects the loss of p at the point in time 
when it first schedules a request for p. According to the SRM-rec^ automaton, the first request 
scheduled for a packet is either a 1-st or 2-nd round request for the given packet. H 

Lemma 5.16 Let k G N + , k > 1, h G H, p G -Prm-Client; and a G C-aexecs (RM/) such that a 
contains the transmission of p. Suppose that the host h schedules k-th and k + l-st round requests 
for the packet p in a. Let tk, ifc+i G ^~° be the points in time in a at which the host h schedules its 
k-th and k + 1-st round requests for p, respectively. Then, it is the case that t k + 2 k ~ l C%d < ifc+i- 

Proof: Constraint 5.5 implies that the k-th round back-off abstinence period expires no earlier 
than 2 C%d time units past tk', that is, no earlier than tk + 2 C^d in a. From Assumption 5.1, 
it is the case that C3 < C\. Thus, the k-th round request is scheduled for transmission at a point 
in time that succeeds tk + 2 k ~ 1 C?,d in a. 

The host h schedules its k + 1-st round request for p when it either sends or receives its k-th 
round request for p; that is, upon the occurrence of either a send-rqst^(s, i) action, such that 
(s,i) = id(j>), or a process-mp'kt ^(pkt) action, for pkt G -Psrm, such that id(pkt) = id(p) 
and type(pkt) = RQST. In the case of a send-rqst/ l (s,i) action, Invariant 5.15 implies that if 
the send-rqst/ l (s, i) action is enabled, then a request for p is not pending. In the case of a 
process-mpkt/j(pA;t) action, the effects of the action process-mpkt/ l (pA;i) imply that the k-th round 
request for p is backed-off only while a request for p is not pending. 

It follows that the point in time at which the host h either sends or receives its k-th round request 
for p succeeds the expiration time of the back-off abstinence period of the k-th round request of h 
for p; that is, t k + 2 k ~ 1 C 3 d < t k+1 . ■ 

Lemma 5.17 Let h,h' G H,h 7^ h! , p G -Prm-Client; and a G C-aexecs (RM/) such that a contains 
the transmission of p. Suppose that h! receives a request for p from h at time t' G R- in a. Suppose 
that when h! receives this request, it is a member of the reliable multicast group and has already 
archived p. Then, the reply of h' pertaining to the particular request of h for p is either sent or 
received by hi no later than t' + (D\ + D 2 )d in a. 

Proof: Constraint 5.5 implies a reply is scheduled for transmission no later than {D\ + D 2 )d 
time units past its scheduling time. When h' receives the request of h for p, a reply for p is either 
already scheduled, already pending, or neither scheduled nor pending. We consider each of these 
scenarios separately. First, if a reply for p is already scheduled, its transmission time is no later 
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than t! + {D\ + D2)d in a. Thus, if either an original transmission or a reply for p is not received by 
b! by the scheduled transmission time of its own reply, then the host h! transmits its own reply It 
follows that the reply of h! pertaining to the particular request of h for p is either sent or received 
by h! no later than the point in time t' + {D\ + D2)d in a. Second, if a reply for p is already 
pending, then the reply of b! pertaining to the particular request of h for p has already been either 
sent or received; that is, the reply of h! pertaining to the particular request of h for p is either 
sent or received by h! no later than t' . Finally, if a reply for p is neither scheduled nor pending, 
then the reply of h! pertaining to the particular request for p from h is scheduled for no later than 
t' + {D\ + D2)d. In either scenario, the reply of h! pertaining to the particular request of h for p is 
either sent or received by h! no later than t! + {D\ + D2)d in a. H 

Lemma 5.18 Let h,h' G H,h / h' , p G -Prm-Client; and a G C-aexecs{KMj) such that a contains 
the transmission of p. Suppose that h' receives a request for p from h at time t' G M-° in a. Suppose 
that when h' receives this request, it is a member of the reliable multicast group and has already 
archived p. Then, the reply abstinence period of the reply of h! pertaining to the particular request 
of h for p expires no later than t' + (D\ + D<i + D%)d in a. 

Proof: Constraint 5.5 implies that the reply abstinence period of any reply expires no later than 
{D\ + L>2 + D%)d time units past its scheduling time. The rest of the proof is analogous to the 
proof of Lemma 5.17. H 

Lemma 5.19 Let k G N + , h,h' G H,h ^ h! , p G -Prm-Client; and a G C-aexecs (RM/) such that a 
contains the transmission of p. Suppose that the host h schedules k-th and k + 1-st round requests 
for the packet p in a. Suppose that the host h! receives the k-th round request of h for p. Let 
tk + \ G R- be the point in time in a at which the host h either sends or receives its k-th round 
request for p and schedules its k + l-st round request for p. Then, the host h' receives the k-th round 
request of h for p no later than tk+i + d in a. 

Proof: The host h either sends or receives its fc-th round request for p and schedules its k + 1-st 
round request for p upon the occurrence of either a send-rqst^(s, i) or a process-mpkt^(pA;t) 
action, where id(pkt) = id{p) and type{pkt) = RQST. We consider there two cases separately. 

First, in the case of a send-rqst/j(s,i) action, Constraints 5.1 and 5.2 and Lemmas 5.6 and 5.8 
imply that the send-rqst/j(s, i) action is instantaneously followed by a msendh(pkt') action, for 
pkt' G -Pipmcast- Client , such that id {strip {pkt')) = id{p) and type {strip {pkt')) = RQST. Furthermore, 
Constraint 5.3 implies that h! receives this request within at most d time units. 

Second, in the case of a process-mpkt/j(pA;i) action, a mzecvf l {pkt') action, for 
pkt' G -Pipmcast-Client, such that pkt = strip{pkt'), instantaneously precedes process-mpkt/^p&i). 
Lemma 5.13 implies that h' receives this request within at most d — d time units. H 

Lemma 5.20 Let a be any admissible timed execution of RM/ that contains the transmission 
of a packet p G -Prm-Client- For any state u G states{RMj) in a, if u.trans-time{p) t^_L, then 
u.trans-time{p) = a.trans-time{p) . 

Proof: The only action that sets the variable trans-time{p) is the action rm-send/j(p), for h = 
source{p). By Lemma 4.2, the action rni-send^d?) occurs only once in a. Let {v , rm-sendh{p) , v') be 
the discrete transition in a involving the action rm-send/j(p). By the definition of a.trans-time{p), 
it follows that a.trans-time{p) = v. now. The action rm-send/j(p) sets the variable trans-time{p) to 
the value of now. It follows that v' .trans-time{p) = a.trans-time{p). 
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Since the action rm-send^(p) occurs in a only once, it follows that for any V— ,v+ £ a, such 
that V- < a v and v' < a v+, it is the case that v^.trans-time{p) =_L and v+.trans-time{p) = 
v' .trans-time{p). Since v' .trans-time{p) = a.trans-time{p), it follows that v+.trans-time{p) = 
a.trans-time{p). H 

Lemma 5.21 Let h,hl £ H, a £ aexecs{RMj), u,u' £ states{RMj) be any states in a, such 
that u < a vl , and a uu / be the finite execution fragment of a starting in u and ending in vl . If 
u[SRM-RECh\. expected{h') 7^ and a uu i contains neither crash^ nor rm-leave/j actions, then it 
is the case that u[SRM-rec h]- expected {h') = u 1 '[SRM-reC/J. expected {hi). 



Proof: The proof is by induction on the length n £ N of a uu i. For the base case, consider 
a finite execution fragment a uu i of length n = 0. Since u = v! , it trivially follows that 
u[SRM-REC h ]. expected{h') = u' '[SRM-REC^]. expected {hi). 

For the inductive step, consider an execution fragment a uu i of length n = fe+1. Let a k be the prefix 
of a uu i involving the first k steps and u k = a^.lstate. Suppose that u[SRM-rec^]. expected {hi) ^ 
and a uu i contains neither crash^ nor rm-leave^ actions. The induction hypothesis implies that 
u[SRM-REC h ]. expected{h') = u k [SRM-KEC h }. expected {h'). 

Now, consider the step from u k to vl. The only actions of SRM-REC/j that may affect the variable 
SRM-REC h- expected {hi) are the actions crash^, rm-leave^, rm-send^(p), and rm-recv/j(p), for p £ 
-Prm-Client- oi uu i contains neither crash^ nor rm-leave/j actions. The action rm-sendft(p) affects 
the variable SRM-rec h- expected {h') only when hi = h = source{p) and SRM-rec h- expected {hi) = 
0. The action rm-recv^(p) affects the variable SRM-rec h- expected {h') only when hi = source{p) 
and SRM-rec h- expected {h!) = 0. Since u[SRM-rec h\- expected {h') / 0, the step from u k to 
v! does not affect the variable SRM-rec h- expected {h'); that is, u k [SRM-RECh\. expected{h') = 
u' [SRM-REC h\. expected {h'). Since u[SRM-rec h]. expected {h') = u k [SRM-RECh].expected{h'), it 
follows that u[SRM-rec h\- expected {h') = u' [SRM-rec h\. expected {h'). ■ 

Lemma 5.22 Let h,h' £ H , a £ aexecs{RMj), u,u' £ states{RMj) be any states in a, such that 
u <a u' , and a uu i be the execution fragment of a starting in u and ending in u' . If a uu r contains 
neither crash^ nor rm-leave/j actions, then it is the case that u[SRM-REC h\. expected {h 1 ) C 
v! [S RM- RECh] ■ expected {hi). 

Proof: Suppose that a uu ' contains neither crash^ nor rm-leave^ actions. If it is the case 
that u[SRM-rec h]- expected {h') = 0, then it trivially follows that u[SRM-REC /J. expected {hi) C 
u' [SRM-rec h\- expected {h'). Otherwise, if u[SRM-rec h\- expected {h') / 0, then Lemma 5.2L 
implies that u[SRM-REC h ]. expected {h') = vl '[SRM-rec h ). expected {hi). It follows that 
u[SRM-RECh\. expected {h') C u' [SRM-rec h\. expected {h'). ■ 

Lemma 5.23 Let h,h' £ H , a £ aexecs{RMj), u,u' £ states{RMj) be any states in a, such that 
u <a u' , and a uu < be the finite execution fragment of a starting in u and ending in u' . If a uu i con- 
tains neither crash/j nor rm-leave^ actions, then it is the case that u[SRM-REC h]-delivered{h') C 
u'[SRM-REC h }. delivered{h') . 

Proof: Follows by induction on the length n £ N of the finite execution fragment a uu i after 
recognizing that all actions, except crash^ and rm-leave/j, may only add elements to the variable 
SRM-REC h . delivered{h'). ■ 
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Lemma 5.24 Let k £ N + , p £ -Prm-Client; an d a be any admissible timed execution of RM/ in 
C-aexecsk (RMj) that contains the transmission of p. Moreover, let h £ H and u be any state of 
RM/ in a such that a.trans-time{p) + d < u.now and id{p) £ u[SHM-rec h\- expected (source(p)). 
For any state v! £ states(RMi) in a such that a. trans-time (p) + d < v! .now and u' < a u, it is the 
case that id(p) £ -u'[SRM-reC/J. expected (s ource (p)) . 

Proof: Let id(p) = {s p ,i p ) and p' £ Prm-Client, such that id(p') = (s p ,i'), be the earliest packet 
expected from s p by h in the state u; that is, id(p') £ u[SRM-REC/j]. expected (s p ) and for all 
(s p ,i") £ u[SHM-RECh\. expected (s p ) it is the case that i' < i". Thus, it follows that i' < i. 

The variable SRM-rec h- expected (s p ) is set in a upon either the transmission (when h = s p ) 
or the reception (when h ^ s p ) of p'. Let v £ states(JiMj) be the state following either the 
transmission or the reception of p' by h in a, respectively. By definition of v, it is the case 
that v [SUM-RECh]. expect ed(s p ) ^ 0. Since a contains neither crash^ nor rm-leave^ actions 
(Constraints 5.1 and 5.2), Lemma 5.21 implies that for any v' £ states(RMj) in a, such that 
v < a v 1 , it is the case that v [SRM-rec h]- expected (s p ) = v'[SKM-RECh]-expected(s p ). 

Constraint 5.3 implies that v. now < a.trans-time{p') + d. Moreover, Lemma 4.3 implies that 
a.trans-time{p') < a.trans-time{p) . Since a.trans-time{p) + d < u'.now, it follows that v. now < 
u' .now. Since v. now < u'.now, it follows that v < a u'. Thus, since v < a u', u' < a u, 
and v[SKM-rec h\- expected (s p ) / 0, Lemma 5.21 implies that v[SKM-rec h]- expected (s p ) = 
u' '[SRM-rec h}. expected (s p ) and v[SKM-RECh\. expected(s p ) = u[SKM-rec h]- expected (s p ). Thus, 
it is the case that u' '[SRM-rec h\- expected (s p ) = u[SRM-rec h\- expected (s p ). Since id(p) £ 
-ufSRM-REC/j]. expected (s p ), it follows that id(p) £ u'[SRM-recJ. expected (s p ). I 

Let k* = [log 2 [(-Di + Di + D% + 2)d — d\ — log 2 (C3cf)]. The following lemma states that, under 
Constraints 5.1, 5.2, 5.3, 5.4, 5.5, and 5.6, k* is the number of requests that must be scheduled 
before the request scheduling delays become large enough to ensure that one round's replies do not 
interfere with the next round's requests. 

Lemma 5.25 Let k £ N + ,k > k* , p £ -Prm-Client, h,h' £ H,h ^ h' , and a £ C-aexecsfc(RM/), 
such that a contains the transmission of p. 

Let u £ states(RMj) be any state in a, such that id{p) £ u[SRM-REC/,]. expected (s ource (p)) and 
id{p) u[SHM-r,ec h] ■ s cheduled-rqsts ? , following which h schedules a k + 2-nd round request for p. 

Let u' £ states(KMi) be any state in a, such that id{p) £ u'[SHM-RECh>]-delivered(source(p)), 
following which h' receives the k-th and k + 1-st round requests of h for p. 

The replies of h' to the k-th and k + 1-st round requests of h for p are distinct. 

Proof: It suffices to show that the reply abstinence period pertaining to h h s reply to the fc-th 
round request of h for p expires prior to the time at which h' receives the k + 1-st round request of 
h for p. 

Let £fc,tfc + i £ R- be the points in time in a at which h schedules its k-th and k + 1-st round 
requests for p. From Lemma 5.19, h' receives the k-th round request of h for p no later than 
tk+i + d. From Lemma 5.18, the abstinence period of the reply of h to the k-th round request of h 
for p expires no later than tk+\ + d + (D± + D2 + D%)d. 

From Lemma 5.16, h either receives or transmits its k + 1-st round request after the point 
in time t^+i + 2 k C%d. From Lemma 5.13, h! receives such a request after the point in time 
t k +i + 2 k C 3 d - d +_d. Since k* = [log_ 2 [(£>i + D 2 + D 3 + 2)d - d] - log 2 (C 3 d)] and k > k* , it 
follows that tk+i + d+ {D-y + D 2 + D 3 )d < t k+1 + 2 k C 3 d -d + d. 
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Recall that h! receives the k+l-st round request of h for p after the point in time tk+i +2 k C%d—d+d. 
Since t^+i + d + {D\ + D2 + D%)d < tk+i + 2 C^d — d + d, it follows that /i' receives the k + 1-st 
round request of h for p after the expiration of the abstinence period of the reply of h! to the fc-th 
round request of h for p. It follows that the replies of b! to the /c-th and k + 1-st round requests of 
h for p are distinct. I 

Let REC-BOUND(fc) = [(2 k - l)(Ci + C 2 ) + L>i + L> 2 + 2]d, for fe G N+. The following lemma states 
that, for k G N + , the recovery of any packet in an admissible execution a G C-aexecs/<;(RM/) 
involves at most k* + k recovery rounds. Following the k*-th recovery round, one round's replies 
do not interfere with the next round's requests. Thus, all recovery rounds that follow the first k* 
recovery rounds may fail only due to packet drops. Since the number of packet drops pertaining 
to the recovery of any packet in a is at most k, it follows that at most k* + k recovery rounds are 
needed to recover any packet in a. 

Lemma 5.26 Let k G N + , a G C-aexecs/c(RM/) ; and u,u' G staies(RM/) be any states in 
a such that u.now + REC-BOUND(fc* + k) < u' .now. For any h G H and p G -Prm-Client; if 
id(p) G tifSRM-RECftj.se/iedM/eci-rgsts?, then id(p) G u'[SRM-REC/j]. delivered(source(p)). 

Proof: Since a G C-aexecsfc(RM/), Constraints 5.1 and 5.2 imply that the source s p of p neither 
crashes nor leaves the reliable multicast group following the transmission of p. Thus, it is capable 
of replying to any of the retransmission requests for p sent in a. 

Suppose that id(p) G u[SRM-REC^]. scheduled-rqsts? and let v G states(RM/) be the first state in 
a such that id{p) G v[SHM-rec h\- scheduled-rqsts? and v' G states(RM/) be the first state in a 
such that v.now + REC-BOUND(A;* + k) < v' .now. By definition, it follows that v < a u and v' < a u' . 

Since a G C-aexecsfc(RM/), it contains at most k packet drops pertaining to the transmission and 
recovery of p. The loss of the original transmission of the packet p accounts for at least one such 
packet drop. Thus, at most k — 1 packet drops may occur during the recovery p. Lemmas 5.4 
and 5.5 imply that following the state v in a, the host h continues initiating recovery rounds for p 
until p is recovered. We proceed by showing that the host h recovers p by the completion time of 
its k* + k recovery round for p. 

Consider the interaction of s p and h pertaining to h's recovery of p. From Lemma 5.25, the replies 
of s p to the requests of the recovery rounds of h following the fc*-th round of h are distinct. Thus, 
each recovery round following the fc*-th recovery round may fail either due to the loss of the request 
or the loss of the reply of the given round; that is, each recovery round following the fc*-th recovery 
round that fails accounts for at least one packet drop. It follows that at most k* + k recovery rounds 
are required for h to successfully recover p. 

Corollary 5.15, Lemma 5.17, and Constraint 5.3 imply that h completes its k* + k recovery rounds 
no later than REC-BOUND(/c* + k) time units past the point in time at which it schedules its first 
request for p. Since v is the first state in a such that id(p) G v[SRM-rec h\- scheduled-rqsts? and 
v.now + REC-BOUND(fc* + k) < v' .now, it follows that h receives p prior to v' in a. Lemma 5.23 
implies that id(p) G t)'[SRM-REC/i]. delivered(s p ). 

Since v' < a v! and id{p) G v'[SKM-rec h].delivered(s p ), Lemma 5.23 implies that id(p) G 
u'[SRM-KECh].delivered(s p ). ■ 

Lemma 5.27 Let k G N + , A = DET-BOUND + REC-BOUND(F + k), p G Prm-Client, a be any 
admissible timed execution o/RMj in C-aexecSfc(RM/) that contains the transmission of p, and 
G states(RMi) be any state in a such that a.trans-time(p) + A < u.now. For any h G H , if 
h G u.intended(jp), then it is the case that h G u. completed {p) . 
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Proof: Let s p = source{p) and suppose that h £ u.intended{p). Since h £ u.intended{p), it follows 
that id(p) £ u[SRM-RECh]- expected (s p ). Let v! £ states(RM/) be the earliest state in a such that 
a. trans-time{p) + DET-B0UND < u' .now. Since d < DET-BOUND, it follows that a.trans-timeip) + d < 
u'.now. Since id(p) £ u[SKM-RECh].expected(s p ), a.trans-time(p) +d < u'.now, and u' < a u, 
Lemma 5.24 implies that id{p) £ u! [SRM-REC/J. expected (s p ). Constraint 5.6 implies that either 
id(p) £ u'[SRM-REC h]-delivered(s p ) or id{p) £ u' '[SRM-REC/J . scheduled-rqsts? . 

First, consider the case where id{p) £ u'[SRM-recJ. delivered{s p ). Since either v! < a u and 
id(p) £ u'[SRM-rec h]-delivered(s p ), Lemma 5.23 implies that id{p) £ u[SRM-REC/,]. delivered (s p ). 
It follows that h £ u. completed (p). 

Second, consider the case where id{jp) £ u'[SRM-RECh]-scheduled-rqsts? . Let (u'_,ir,u') be the 
discrete transition in a leading to the particular occurrence of u! . Since, u! is the earliest state in 
a such that a.trans-time{p) + DET-BOUND < u' .now, it follows that it is a non-stuttering time- 
passage action, u'^.now < u'.now, and u'^.now < a. trans-time (p) + DET-BOUND. Since time- 
passage actions do not affect the derived variable SRM-rec h- scheduled-rqsts ? , it follows that 
id{jp) £ u'_[SKM-RECh].scheduled-rqsts?. Since u'_.now < a. trans-time (p) + DET-BOUND and 
a.trans-time{p) + A < u.now, it follows that u'^.now + REC-BOUND(/c* + k) < u.now. 

Since u'_.now + REC-BOUND(/c* + k) < u.now and id(p) £ u'_[SRM-RECh\. scheduled-rqsts? , 
Lemma 5.26 implies that id{p) £ u[SRM-rec h\.delivered{s p ); that is, h £ u. completed (p). I 

We conclude by showing that any timed trace of RM/ in the set C-attracesk (RM/) is also a timed 
trace of the specification automaton RM S (A), for A = DET-BOUND+REC-BOUND(fc*+A;). Thus, given 
Constraints 5.1, 5.2, 5.3, 5.4, 5.5, and 5.6 and assuming that the number of packet drops pertaining 
to the transmission and, potentially, the recovery of any packet is bounded, RM/ implements the 
timely reliable multicast service specification RMs(A). 

The proof of this claim involves showing that the relation R of Definition 5.1 is a timed forward 
simulation relation from RM/ to RMs(A), under the aforementioned constraints and assumptions. 
The key part of the proof involves showing the correspondence of the time-passage steps. In 
particular, we show that active packets are delivered to all the hosts is their intended delivery sets 
within A time units. 

Theorem 5.28 Let k £ N+ and A = DET-BOUND + REC-BOUND(fc* + k). Then, it is the case that 
C-attraces k (RM/) C attraces(RM s (A)). 

Proof: It suffices to show that the relation R of Definition 5.1 is a timed forward simulation 
relation from RM/ to RM,s(A), for any execution in the set C-attraces ^(RM/). 

The proof that R is indeed a timed forward simulation relation is identical to that of Lemma 5.11 
with the exception that in this case showing the correspondence of the time passage transitions is 
nontrivial. 

Consider any discrete transition (u,ir,u') £ trans(RM/), where n = v{t), for some t £ R- , that 
occurs in any admissible execution of RM/ in the set C-attraces fc(RMj). It suffices to show that, 
for any reachable state s of RMg(A) such that (u, s) £ R, there exists a timed execution fragment 
a of RMg(A) such that a.fstate = s, a.lstate = s' , ttrace(a) = ttrace{wKu'), the total amount of 
time-passage in a is the same as the total amount of time-passage in uttu', and {v! , s') £ R. 

Let s be any reachable state of RMs(A) such that (u,s) £ R. The timed execution fragment 
of RM^(A) corresponding to the step (u,ir,u') is comprised solely of the v{t) action. We must 
show that the v(t) action is enabled in s; that is, we must show that, for any active packet 
p £ s . active-pkts , it is the case that either s.now + t < s .trans-time{p) + A or s. intended (p) C 
s. completed (p). Since (u, s) £ R, it suffices to show that, for any active packet p £ u. active-pkts, it 
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is the case that either u.now + t < u.trans-time{p) + A or u.intended{p) C u. completed (p). 

Consider any active packet p £ u.active-pkts. It suffices to show that if u. trans-time (p) + A < 
u.now + t, then u.intended(p) C u. completed (p). Let h £ H be any host in u.intended(p). Since 
the action ^(t) of RMj does not affect the derived history variable SRM. intended (p), it follows 
that h €. v! .intended (p). Moreover, since u.trans-time(p) + A < u.now + t and the action u{t) 
increments the now variable by t time units, it follows that u.trans-time{p) + A < vl .now. Since 
A = DET-BOUND + REC-BOUND(/c* + k), u.trans-time{p) + A < u'.now, and h G u' . intended (p), 
Lemmas 5.20 and 5.27 imply that h G v! .completed (p). Since the action u(t) of RM/ does not 
affect the derived history variable SRM. completed(p) , it follows that h G u. completed (p). I 



6 Contributions & Future Work 

The contributions of this paper are several. First, we present a timed I/O automaton model of the 
reliable multicast service. This model formally specifies the behavior of several reliable multicast 
protocols that strive to provide eventual delivery with, possibly, some timeliness guarantees. In 
particular, it dictates what it means to be a member of a reliable multicast group and which packets 
are guaranteed delivery to which members of the reliable multicast group. Moreover, we present a 
timed I/O automaton model of the SRM protocol. This model decomposes the functionality of the 
reliable multicast service, thus facilitating reasoning and the future modeling of either variations 
and extensions to SRM's recovery scheme, or other reliable multicast protocols altogether. We 
show that our model of SRM is safe, in the sense that it may only deliver appropriate packets to 
each member of the reliable multicast group. We also show that, under certain constraints, our 
implementation is live, in the sense that it guarantees the timely delivery of the appropriate packets 
to each member of the reliable multicast group. 

In the future, we intend to relax the constraints used in our liveness analysis of SRM and to analyze 
the performance of SRM in the context of a dynamic group membership. We also intend to model, 
analyze, and compare the performance of extensions to SRM and other reliable multicast protocols. 
The safety analysis of each such protocol will guarantee that the protocols are compared on an equal 
footing; something rarely done precisely when comparing protocols. 
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